The Centre for Internet and Society
http://editors.cis-india.org
These are the search results for the query, showing results 31 to 45.
Token security or tokenized security?
http://editors.cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security
<b>Implementing a system of tokenization for Aadhaar verification will address the security loopholes highlighted in recent reports.</b>
<p style="text-align: justify; ">The article by Manasa Venkataraman and Ajay Patri was published in <a class="external-link" href="http://www.livemint.com/Opinion/Kx7GIb4P73EpEtpxOFzi6M/Token-security-or-tokenized-security.html">Livemint</a> <span>on January 9, 2018.</span></p>
<hr style="text-align: justify; " />
<p class="S3l" style="text-align: justify; ">Those who were reassured that the Aadhaar architecture is safe and secure have faced a few rude shocks lately. First, there was the recent report in <i>The Tribune </i>on how one of its reporters was easily able to log in to the Aadhaar website and access any enrolled Indian’s personal information, all for a grand fee of Rs500. While the veracity of this report is still being contested by the Unique Identification Authority of India (UIDAI), it has stirred panic over the security of personal data entrusted to the government. This came close on the heels of reports last month that a telecom company was utilizing the eKYC (know your customer) data of its mobile subscribers to open payment bank accounts without their consent.</p>
<p style="text-align: justify; ">These two instances highlight scenarios where data from the Aadhaar database is vulnerable. In the first, the weaknesses in security measures and processes around the database leave information susceptible to an attack. In the second, providing third-party entities loosely regulated access to an individual’s data leaves scope for abuse.</p>
<p style="text-align: justify; ">There is a need to protect the data belonging to individuals in these situations, providing the government with two possible policy options: it can choose to either overhaul the Aadhaar architecture completely, or it can build in additional security measures to ensure that individual data is not compromised.</p>
<p style="text-align: justify; ">Uninventing Aadhaar is not a practical proposal. It would have to include repealing the statute on Aadhaar, disbanding the database already created, and figuring out alternative means of delivering the services that are now dependent on Aadhaar. A more sustainable way forward is to better secure Aadhaar. This will involve not only the secure collection and storage of personal data, but also a safe regulation of the manner in which third parties use it for authentication.</p>
<p style="text-align: justify; ">One way to protect Aadhaar-related communications is to channel them through a secure conduit. This can be achieved through a system of temporary tokens for Aadhaar-based verifications. Sunil Abraham from the Centre for Internet and Society (CIS) has recommended a system of using dummy or virtual Aadhaar numbers along with a smart card to protect information belonging to individuals.</p>
<p style="text-align: justify; ">Tokenization is the process of masking sensitive personal data with another innocuous dataset, allowing it to be shared with third parties without the risk of the personal data being exposed. So, every time a service provider asks for identification, the individual can provide a one-time-ID number generated by an Aadhaar app or on UIDAI’s website. The service provider can authenticate the one-time-ID number with the Aadhaar database, without needing to know or store the Aadhaar number. The algorithm used to generate the one-time-ID number must be constructed using hard-to-replicate information and kept a well-guarded secret. No two service providers will have the same one-time ID, making it harder for personal profiles to be constructed by mining data from multiple service providers, thus enabling a higher level of privacy protection.</p>
<p style="text-align: justify; ">Allowing such a system of tokenization for every eKYC can create a welcome layer of ambiguity around individuals’ personal data and preserve the individuals’ Aadhaar-related information with the government. This system also breaks the link between the Aadhaar database and any third party having access to an individual’s Aadhaar number. If this link is not broken, then any entity—government or private—would have access to potentially millions of Aadhaar card numbers, opening endless possibilities for data abuse.</p>
<p style="text-align: justify; ">The tokenization process allows the authority to arrest any attempts at data abuse. In fact, to make this system of tokens or one-time-ID numbers effective, the law must build in measures to penalize any attempt to recreate an individual’s Aadhaar number from the unique token number. In other words, the service provider is given a token number for authentication, but prohibited from obtaining the Aadhaar number it corresponds to.</p>
<p style="text-align: justify; ">Tokenization is an improvement over the status quo, but only in one aspect—making Aadhaar secure. It is imperative that the government pays equal attention to the manner in which all data is collected, stored and disposed of by the authority. There are two facets to be explored here: first, ensuring secure storage of the vast information database, and second, plugging security loopholes that happen at collection by limiting access to the database.</p>
<p style="text-align: justify; ">The adoption of appropriate technical safeguards is indispensable to thwart external threats to the Aadhaar database, such as ransomware attacks. Having appropriate security, and having periodic audits to test the adequacy of such security, is indispensable.</p>
<p style="text-align: justify; ">Equally, limiting access to the database is crucial for preventing leaks, such as the ones reported in <i>The Tribune</i>. It is important that only a select few individuals have access to the database and that these personnel are properly vetted before being vested with such responsibility.</p>
<p style="text-align: justify; ">These various facets of the Aadhaar ecosystem are likely to be further examined in the public in the weeks to come as the Supreme Court gears up to hear the petitions on Aadhaar. Regardless of the verdict, there is an urgent need to improve the safety of the Aadhaar ecosystem and the use of tokenization goes some way towards achieving this objective.</p>
<p style="text-align: justify; "><i>Manasa Venkataraman and Ajay Patri are researchers at the Takshashila Institution, an independent, non-partisan think tank and school of public policy.</i></p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security'>http://editors.cis-india.org/internet-governance/news/livemint-january-9-2018-manasa-venkataraman-ajay-patri-token-security-or-tokenized-security</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-01-17T00:17:41ZNews ItemTo protect data, don’t opt for plastic or laminated Aadhaar card: UIDAI
http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar
<b>Unauthorized printing of Aadhaar cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, UIDAI says.</b>
<p>The article by Komal Gupta was <a class="external-link" href="http://www.livemint.com/Politics/5Gr7j4bgNoLRVtf10cjrzK/To-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar.html">published by Livemint</a> on February 7, 2017</p>
<hr />
<p class="S3l" style="text-align: justify; ">To protect information provided by holders of Aadhaar, the Unique Identification Authority of India (UIDAI) on Tuesday cautioned people against opting for plastic or laminated “smart” cards.</p>
<p style="text-align: justify; ">Unauthorized printing of the cards could render the QR (quick response) code dysfunctional or even expose personal data without an individual’s informed consent, it said in a statement on Tuesday.</p>
<p style="text-align: justify; ">Besides, opting for plastic or laminated cards opened up the possibility of Aadhaar details (personal sensitive demographic information) being shared with devious elements without the informed consent of holders, the statement added.</p>
<p>According to UIDAI, the Aadhaar letter sent by it, a cutaway portion or downloaded versions of Aadhaar on ordinary paper or mAadhaar are perfectly valid.</p>
<p style="text-align: justify; ">“If a person has a paper Aadhaar card, there is absolutely no need to get his/her Aadhaar card laminated or obtain a plastic Aadhaar card or so called smart Aadhaar card by paying money. There is no concept such as smart or plastic Aadhaar card,” UIDAI chief executive officer Ajay Bhushan Pandey said in a statement.</p>
<p style="text-align: justify; ">Printing Aadhaar on a plastic/PVC sheet privately can cost anywhere between Rs50 and Rs300 or more, UIDAI said. It added that a printout of the downloaded Aadhaar card, even in black and white, is as valid as the original Aadhaar letter sent by UIDAI.</p>
<p>It added that in case a person loses his Aadhaar card, he can download the card free from <i>https://eaadhaar.uidai.gov.in.</i></p>
<p style="text-align: justify; ">Pandey asked holders not to share Aadhaar number or personal details with unauthorized agencies for getting the card laminated, or printed on plastic.</p>
<p style="text-align: justify; ">The agency also directed unauthorized agencies not to collect Aadhaar information from people, reminding them that collecting such information or unauthorized printing of Aadhaar card is a criminal offence punishable with imprisonment.</p>
<p style="text-align: justify; ">“I feel a lot more has to be done by UIDAI. Sadly, by encouraging people to rely on printed Aadhaar ‘cards’, UIDAI is ending up with the worst of both worlds with respect to personal data protection: photocopies of so-called Aadhaar cards/letter are being circulated to facilitate identity fraud as well as the kind of dangerous personal data disclosures that centralized databases enable,” said Pranesh Prakash, policy director at think tank Centre for Internet and Society.</p>
<p style="text-align: justify; ">Last month, UIDAI put in place a two-layer security to reinforce privacy protections for Aadhaar holders—it introduced a virtual identification so that the actual number need not be shared to authenticate their identity. Simultaneously, it further regulated the storage of the Aadhaar numbers within various databases.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar'>http://editors.cis-india.org/internet-governance/news/livemint-komal-gupta-february-7-2017-to-protect-data-dont-opt-for-plastic-or-laminated-Aadhaar</a>
</p>
No publisherAdminAadhaarInternet GovernancePrivacy2018-02-07T01:00:00ZNews ItemThe soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint
http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint
<b>Paying for your groceries and other goods by using your biometrics instead of an e-wallet, debit card or cash seems to be the next phase in the Centre’s ambitious push to shift the country to a “less cash” economy, as its mandarins term it.</b>
<p style="text-align: justify; ">The article by Indulekha Aravind was <a class="external-link" href="http://economictimes.indiatimes.com/news/economy/policy/the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint/articleshow/56542475.cms">published in the Economic Times</a> on 15 January 2017. Sunil Abraham was <a class="external-link" href="http://economictimes.indiatimes.com/et-now/experts/sunil-abraham-on-aadhaars-misuse-during-demonetisation/videoshow/56544492.cms">consulted for this</a>.</p>
<hr />
<p style="text-align: justify; "> </p>
<p style="text-align: justify; ">Ajay Bhushan Pandey, CEO of the Unique Identification Authority of India (UIDAI), says it will be rolling out Aadhaar-enabled payment system, or Aadhaar Pay, for merchants in the next few weeks. This will be an app for merchants that enables them to receive payments through biometric authentication of the customer, provided their bank accounts are linked to their Aadhaar number. "A pilot is under way in fair price shops in Andhra Pradesh where shopkeepers are accepting payments from PDS beneficiaries. The results are very encouraging," says Pandey.</p>
<p style="text-align: justify; ">The idea takes off from the existing Aadhaar-enabled payment system (AEPS) used by bank business correspondents (BCs) in rural areas to disburse and accept cash, using micro ATMs. "We are trying to tweak this so that a similar device can be used by a local merchant," says Pandey. Adoption will depend on two factors: merchants’ acceptance of it and whether they can use an app rather than a micro ATM. The biggest advantage through this method of payment, says Pandey, is that the customer will not need a credit or debit card, or even a smartphone.</p>
<p style="text-align: justify; "><img alt="The soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint" class="gwt-Image" src="http://img.etimg.com/photo/56542603/page-19-1.jpg" title="The soon-to-be launched Aadhaar Pay will let you make purchases using your fingerprint" /></p>
<p style="text-align: justify; ">The limits for transactions using AEPS, such as the number of daily transactions, will be left to the discretion of the banks. In the long term, the AEPS will be migrated to the BHIM (Bharat Interface for Money) platform but the rollout of Aadhaar Pay will happen before that. Post demonetisation, banking BC’s number of transactions using AEPS has leapt from 4-5 lakh to 14-15 lakh, says Pandey. According to Reserve Bank of India data on electronic payment systems, the total volume of such transactions jumped from 671 million in November 2016 to 957 million in December. USSD-based payments, which can be done using a basic feature phone, are among the biggest beneficiaries: the volume rose from just 7,000 in November to 1,02,000 in December, and value of transactions from over Rs 7,000 to over Rs 1 lakh. Prepaid payment instruments — mainly mobile wallets — rose from 59 million to 88 million in the same period (and value from Rs 1,300 crore to Rs 2,100 crore).</p>
<p style="text-align: justify; ">While Aadhaar Pay is likely to ride the demonetisation wave if it is launched soon, certain concerns remain, as the list is how secure such a payment system will be. The UIDAI CEO says it is a paramount concern for the organisation, too. "We are using the latest technology to ensure the information stays encrypted end to-end, so that information is not leaked or misused. In the months to come, we will strengthen the security."</p>
<p style="text-align: justify; "><b>Wary About Security</b> <br /> Sunil Abraham, executive director of the Centre for Internet and Society, a think tank that has been analysing the Aadhaar project for six years, outlines several reasons why Aadhaar-based biometrics is inappropriate for authentication in payments, unlike card-based payments that use cryptography. <br /> <br /> "With biometrics, there is always an error ratio. It is imprecise matching, whereas with cryptography (smart cards), there is no false positive or negative. You either have the key (PIN) or you don’t. It is also very cheap to defeat biometric authentication — even an unlettered person can do it," says Abraham. It would be easy enough, he says, to replicate someone else’s fingerprint by pressing it against lukewarm wax and filling the mould with glue to get a dummy finger. In contrast, compromising a smart card requires more cost and effort, from tech-savviness to machines such as a skimmer that will read the card. "And once you are compromised,you are compromised forever. You can’t change it, like a debit card PIN."</p>
<p style="text-align: justify; ">Using Aadhaar for authentication had proved to be a failure during the exchange of currency notes following demonetisation, he adds, pointing to how the poor and the middle class stood in queues for money while stacks of new currency were recovered from the homes of businessmen and bureaucrats. "When you have bank officials who are corrupt, giving them your biometrics is giving them more ammunition for corruption." To catch the criminals, law enforcement agencies had to resort to CCTV footage,a relatively older technology, he says. Others point out that while it may be secure, certain factors stand in the way of making biometrics-based payment authentication a large-scale success. Amrish Rau, CEO of PayU India, a payment gateway provider, cites a list of reasons why it would inevitably take off but only in 5-10 years.</p>
<p style="text-align: justify; ">"For one, the technology is not yet good enough. There are also bandwidth and data constraints in sending biometric data," says Rau. Even in more mature markets, it has yet to find widespread acceptance, he says, pointing to the slow adoption of Apple Pay and Samsung Pay in the US. "It’s not the answer today.” This is in contrast to NITI Aayog CEO Amitabh Kant’s recent remarks that cards and PoS machines would become redundant by 2020 because Indians would be making payments using their thumb (biometrics). "... my view is that in the next two and a half years, India will make all its debit cards, credit cards, all ATM machines, all PoS machines totally irrelevant,” Kant had said at a Pravasi Bharatiya Divas session in Bengaluru.</p>
<div style="text-align: justify; ">UIDAI’s Pandey is more circumspect. “I wouldn’t say who would replace what. But from the government’s side we are encouraging all modes of digital payment. India has a diverse population and some people might prefer using a card, others a wallet. Collectively, they will contribute to a less-cash society.”</div>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint'>http://editors.cis-india.org/internet-governance/news/economic-times-indulekha-aravind-january-15-2017-the-soon-to-be-launched-aadhaar-pay-will-let-you-make-purchases-using-your-fingerprint</a>
</p>
No publisherpraskrishnaDemonetisationDigital PaymentDigital GovernanceDigital EconomyPrivacyInternet GovernanceDigital MoneyVideoAadhaarBiometrics2017-01-16T03:14:22ZNews ItemThe New Aadhaar Bill in Plain English
http://editors.cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english
<b>We have put together a plain English version of the The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016.
</b>
<h2 id="docs-internal-guid-4528559b-63ee-ea8a-5fc7-ff5b32b069f6" dir="ltr">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016</h2>
<p> </p>
<p>Chapter I. PRELIMINARY</p>
<p> </p>
<p dir="ltr">Section 1</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">This Act is called Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">It will be applicable in whole of India (except the state of Jammu and Kashmir).</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">It will become applicable on a date to be notified by the Central Government.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 2</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Aadhaar number” is the identification number issued to an individual under the Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Aadhaar number holder” is the person who has been given an Aadhaar number;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“authentication” is the process of verifying the Aadhaar number, demographic information and biometric information of any person by the Central Identities Data Repository (CIDR);</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“authentication record” is the record of the authentication which will contain the identity of the requesting entity and the response of the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Authority” or “UIDAI” refers to the Unique Identification Authority of India established under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“benefit” means any relief or payment which may be notified by the Central Government;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“biometric information” means photograph, fingerprint, Iris scan, or any other biological attributes specified by regulations;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Central Identities Data Repository” or “CIDR” means a centralised database containing all Aadhaar numbers, demographic information and biometric information and other related information;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Chairperson” means the Chairperson of the UIDAI;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“core biometric information” means fingerprint, Iris scan, or any biological attributes specified by regulations;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“demographic information” includes information relating to the name, date of birth, address and other relevant information as specified by regulations. This information will not include race, religion, caste, tribe, ethnicity, language, records of entitlement, income or medical history;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“enrolling agency” means an agency appointed by the UIDAI or a Registrar for collecting demographic and biometric information of individuals for issuing Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“enrolment” means the process of collecting demographic and biometric information from individuals for the purpose of issuing Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“identity information” in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Member” includes the Chairperson and Member of the Authority appointed under section 12;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“notification” means a notification published in the Official Gazette and the expression “notified” with its cognate meanings and grammatical variations will be construed accordingly;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“prescribed” means prescribed by rules made by the Central Government under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“records of entitlement” means the records of benefits, subsidies or services provided to any individual under any government programme;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“Registrar” means any person authorized by the UIDAI to enroll individuals under the Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“regulations” means the regulations made by the UIDAI under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“requesting entity” means an agency that submits the Aadhaar number and other information of an individual to the CIDR for authentication;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“resident” means a person who has resided in India for atleast 182 days in the last twelve months before the date of application for enrolment;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“service” means any facility or assistance provided by the Central Government in any form;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">“subsidy” means any form of aid, support, grant, etc. in cash or kind as notified by the Central Government.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter II. ENROLMENT</h5>
<p> </p>
<p dir="ltr">Section 3</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Every resident is entitled to get an Aadhaar number.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">At the time of enrollment, the enrolling agency will inform the individual of the following details—</p>
</li>
<ol><li style="list-style-type: lower-alpha;" dir="ltr">
<p dir="ltr">how their information will be used;</p>
</li><li style="list-style-type: lower-alpha;" dir="ltr">
<p dir="ltr">what type of entities the information will be shared with; and</p>
</li><li style="list-style-type: lower-alpha;" dir="ltr">
<p dir="ltr"> that they have a right to see their information and also tell them how they can see their information.</p>
</li></ol>
<li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> After collecting and verifying the information given by the individuals, the UIDAI will issue an Aadhaar number to each individual.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 4</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Once an Aadhaar number has been issued to a person, it will not be re-assigned to any other person.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">An Aadhaar number will be a random number and will not contain any attributes or identity of the Aadhaar number holder.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">if adopted by a service provider, an Aadhaar number may be accepted as proof of identity of the person.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 5</p>
<p dir="ltr">The UIDAI will take special measures to issue Aadhaar number to women, children, senior citizens, persons with disability, unskilled and unorganised workers, nomadic tribes or to such other persons who do not have any permanent residence and similar categories of individuals.</p>
<p> </p>
<p dir="ltr">Section 6</p>
<p dir="ltr">The UIDAI may require Aadhaar number holders to update their Aadhaar information, so that it remains accurate.</p>
<p> </p>
<h5 dir="ltr">Chapter III. AUTHENTICATION</h5>
<p> </p>
<p dir="ltr">Section 7</p>
<p dir="ltr">As a condition for receiving subsidy for which the expenditure is incurred from the Consolidated Fund of India, the Government may require that a person should be authenticated or give proof of the Aadhaar number to establish his/her identity. In the case a person does not have an Aadhaar number, he/she should make an application for enrolment. If an Aadhaar number is not assigned, the person will be offered viable and alternate means of identification for receiving the subsidy, benefit or service.</p>
<p> </p>
<p dir="ltr">Section 8</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will authenticate the Aadhaar information of people as per the conditions prescribed by the government and may also charge a fees for doing so.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Any requesting entity will— (a) take consent from the individual before collecting his/her Adhaar information; (b) use the information only for authentication with the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The entity requesting authentication will also inform the individual of the following— (a) what type of information will be shared for authentication; (b) what will the information be used for; and (c) whether there is any alternative to submitting the Aadhaar information to the requesting entity.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will respond to the authentication request with yes, no, or other appropriate response and share identity information about the Aadhaar number holder but not share any biometric information.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 9</p>
<p dir="ltr">The Aadhaar number or its authentication will not be a proof of citizenship or domicile.</p>
<p> </p>
<p dir="ltr">Section 10</p>
<p dir="ltr">The UIDAI may engage any number of entities to establish and maintain the CIDR and to perform any other functions specified by the regulations.</p>
<h5 dir="ltr"><br class="kix-line-break" />Chapter IV. UNIQUE IDENTIFICATION AUTHORITY OF INDIA</h5>
<p dir="ltr"><br class="kix-line-break" />Section 11</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> The UIDAI will be established by the Central Government to be responsible for the processes of enrolment and authentication of Aadhaar numbers.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will be a body corporate with the power to buy and sell property, to enter into contracts and to sue or be sued.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The head office of the UIDAI will be in New Delhi.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI may establish its offices at other places in India.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 12</p>
<p dir="ltr">The UIDAI will have a Chairperson, two part-time Members and a chief executive officer, who to be appointed by the Central Government.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<p dir="ltr">Section 13</p>
<p dir="ltr">The Chairperson and Members will be competent people with at least 10 years experience and knowledge in technology, governance, law, development, economics, finance, management, public affairs or administration.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<p dir="ltr">Section 14</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson and the Members will be appointed for 3 years and can be re-appointed after their term. But no Member or Chairperson will be more than 65 years of age.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson and Members will take an oath of office and of secrecy.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson or Member may— (a) resign from office, by giving an advance written notice of at least 30 days; or (b) be removed from his office because she/he gets disqualified on any of the grounds mentioned in section 15.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The salaries and allowances of the Members and Chairperson will be prescribed under the government. <br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 15</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Central Government may remove a Chairperson or Member, who—<br class="kix-line-break" />(a) has gone bankrupt; <br class="kix-line-break" />(b) is physically or mentally unable to do his/her job;<br class="kix-line-break" />(c) has been convicted of an offence involving moral turpitude;<br class="kix-line-break" />(d) has a financial conflict of interest in performing his/her functions; or<br class="kix-line-break" />(e) has abused his/her position so that the government needs to remove him/her in public interest.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Chairperson or a Member will be given a chance to present his/her side of the story before being removed, unless he/she is being removed on the grounds of bankruptcy or criminal conviction. <br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 16</p>
<p dir="ltr">An Ex-Chairperson or Ex-Member will have to take the approval of the Central Government,—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to accept any job in any entity (other than a government organization) which was associated with any work done for the UIDAI while that person was a Chairperson or Member, for a period of three years after ceasing to hold office;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to act or advise any entity on any particular transaction for which that person had provided advice to the UIDAI while he/she was the Chairperson or a Member;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to give advice to any person using information which was obtained as the Chairperson or a Member which is not available to the public in general; or</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">to accept any offer of employment or appointment as a director of any company with which he/she had direct and significant official dealings during his/her term of office, for a period of three years.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 17</p>
<p dir="ltr">The Chairperson will preside over the meetings of the UIDAI and have the powers and perform the functions of the UIDAI.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<p dir="ltr">Section 18</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> The chief executive officer (CEO) of the UIDAI will not be below the rank of Additional Secretary to the Government of India.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The chief executive officer will be responsible for— (a) the day-to-day administration of the UIDAI; (b) implementing the programmes and decisions of the UIDAI; (c) making proposals for the UIDAI; (d) preparation of the accounts and budget of the UIDAI; and (e) performing any other functions prescribed in the regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The CEO will annually submit the following things to the UIDAI for its approval — (a) a general report covering all the activities of the Authority in the previous year; (b) programmes of work; (c) the annual accounts for the previous year; and (d) the budget for the coming year.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The CEO will have administrative control over the officers and other employees of the Authority.</p>
</li></ol>
<p dir="ltr"><br class="kix-line-break" />Section 19</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> The time and place of the meetings of the UIDAI and the rules and procedures of those meetings will be prescribed by regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The meetings will be presided by the Chairperson, and if they are absent, then the senior most Member of the UIDAI.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">All decisions at the meetings of the UIDAI will be taken by a majority vote. In case of a tie, the person presiding the meeting will have the casting vote.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">All decisions of the UIDAI will be signed by the Chairperson or any other Member or the Member-Secretary authorised by the UIDAI in this behalf.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">If any Member, who is a director of a company and because of this has any financial interest in matters coming up for consideration at a meeting, that member should disclose the financial interest and not take any further part in the discussions and decision on that matter.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 20</p>
<p dir="ltr">No actions or proceeding of the UIDAI will become invalid merely because of—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">any vacancy in, or any defect in the constitution of, the UIDAI;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">any defect in the appointment of a person as Chairperson or Member of the Authority; or</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">any irregularity in the procedure of the Authority not affecting the merits of the case.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 21</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI, with the approval of the Government, can decide on the number and types of officers and employees that it would require.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The salaries and allowances of the employees, officer and chief executive officer will be prescribed under the government.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 22.</p>
<p dir="ltr">Once the UIDAI is establishment—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr"> all the assets and liabilities of the existing Unique Identification Authority of India, established by the Government of India through notification dated the 28th January, 2009, will stand transferred to the new UIDAI.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">all data and information collected during enrolment, all details of authentication performed, by the existing Unique Identification Authority of India will be deemed to have been done by the UIDAI. All debts, liabilities incurred and all contracts entered into by the Unique Identification Authority of India will be deemed to have been entered into by the UIDAI;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">all money due to the existing Unique Identification Authority of India will be deemed to be due to the UIDAI; and</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">all suits and other legal proceedings instituted by or against such Unique Identification Authority of India may be continued by or against the UIDAI.<br class="kix-line-break" /><br class="kix-line-break" /></p>
</li></ol>
<p dir="ltr">Section 23</p>
<p dir="ltr">The UIDAI will develop the policy, procedure and systems for issuing Aadhaar numbers to individuals and perform their authentication. The powers and functions of the UIDAI include—</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the demographic information and biometric information required for enrolment and the processes for collection and verification of that information;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">collecting demographic information and biometric information from people seeking Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">appointing of one or more entities to operate the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">generating and assigning Aadhaar numbers to individuals;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">performing authentication of Aadhaar numbers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">maintaining and updating the information of individuals in the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">omitting and deactivating an Aadhaar number;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the manner of use of Aadhaar numbers for the purposes of providing or availing of various subsidies and other purposes for which Aadhaar numbers may be used;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the terms and conditions for appointment of Registrars, enrolling agencies and service providers and revocation of their appointments;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">establishing, operating and maintaining of the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">sharing the information of Aadhaar number holders;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">calling for information and records, conducting inspections, inquiries and audit of the operations of the CIDR, Registrars, enrolling agencies and other agencies appointed under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying processes relating to data management, security protocols and other technology safeguards under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">specifying the conditions/procedures for issuance of new Aadhaar number to existing Aadhaar number holder;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">levying and collecting the fees or authorising the Registrars, enrolling agencies or other service providers to collect fees for the services provided by them under this Act;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">appointing committees necessary to assist the Authority in discharge of its functions;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">promoting research and development for advancement in biometrics and related areas;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">making and specifying policies and practices for Registrars, enrolling agencies and other service providers;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">setting up facilitation centres and grievance redressal mechanisms;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">other powers and functions as prescribed.</p>
</li></ol>
<p dir="ltr">The Authority may,— (a) enter into agreements with various state governments and Union Territories for collecting, storing, securing or processing of information or delivery of Aadhaar numbers to individuals or performing authentication; (b) appoint Registrars, engage and authorize agencies to collect, store, secure, process information or do authentication or perform other functions under this Act. The Authority may engage consultants, advisors and other persons required for efficient discharge of its functions.<br class="kix-line-break" /><br class="kix-line-break" /></p>
<h5 dir="ltr">Chapter V. GRANTS, ACCOUNTS AND AUDIT AND ANNUAL REPORT</h5>
<p> </p>
<p dir="ltr">Section 24</p>
<p dir="ltr">The Central Government may grant money to the UIDAI as it may decide, upon due appropriation by Parliament.</p>
<p> </p>
<p dir="ltr">Section 25</p>
<p dir="ltr">Fees/revenue collected by the UIDAI will be credited to the Consolidated Fund of India</p>
<p> </p>
<p dir="ltr">Section 26</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will prepare an annual statement of accounts in the format prescribed by Central Government</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Comptroller and Auditor-General will audit the account of the UIDAI annually at intervals decided by him, at the UIDAI’s expense.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Comptroller and Auditor-General or his appointees will have the same powers of audit they usually have to audit Government accounts.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will forward the statement of accounts certified by the Comptroller and Auditor-General and the audit report, to the Central Government who will lay it before both houses of Parliament.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 27</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will provide returns, statements and particulars as sought, to the Central Government, as and when required.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will prepare an annual report containing the description of work for previous years, annual accounts of previous year, and the programmes of work for coming year.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The copy of the annual report will be laid before both houses of Parliament by the Central Government.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter VI. PROTECTION OF INFORMATION</h5>
<p> </p>
<p dir="ltr">Section 28</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will ensure the security and confidentiality of identity information and authentication records.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will take measures to ensure that all information with the UIDAI, including CIDR records is secured and protected against access, use or disclosure and against destruction, loss or damage.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will adopt and implement appropriate technical and organisational security measures, and ensure the same are imposed through agreements/arrangements with its agents, consultants, advisors or other persons.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Unless otherwise provided, the UIDAI or its agents will not reveal any information in the CIDR to anyone.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">An Aadhaar number holders may request UIDAI to provide access his information (excluding the core biometric information) as per the regulations specified.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 29</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The core biometric information collected will not be a) shared with anyone for any reason, and b) used for any purpose other generation of Aadhaar numbers and authentication.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Identity information, other than core biometric information, may be shared only as per this Act and regulations specified under it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Identity information available with a requesting entity will not be used for any purpose other than what is specified to the individual, nor will it be shared further without the individual’s consent.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Aadhaar numbers or core biometric information will not be made public except as specified by regulations.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 30</p>
<p dir="ltr">All biometric information collected and stored in electronic form will be deemed to be “electronic record” and “sensitive personal data or information” under Information Technology Act, 2000 and its provisions and rules will apply to it in addition to this Act.</p>
<p> </p>
<p dir="ltr">Section 31</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">If the demographic or biometric information about any Aadhaar number holder changes, is lost or is found to be incorrect, they may request the UIDAI to make changes to their record in the CIDR, as necessary.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The identity information in the CIDR will not be altered, except as provided in this Act.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 32</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will maintain the authentication records in the manner and for as long as specified by regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Every Aadhaar number holder may obtain his authentication record as specified by regulations.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will not collect, keep or maintain any information about the purpose of authentication.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 33</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI may reveal identity information, authentication records or any information in the CIDR following a court order by a District Judge or higher. Any such order may only be made after UIDAI is allowed to appear in a hearing.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The confidentiality provisions in Sections 28 and 29 will not apply with respect to disclosure made in the interest of national security following directions by a Joint Secretary to the Government of India, or an officer of a higher rank, authorised for this purpose.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">An Oversight Committee comprising Cabinet Secretary, and Secretaries of two departments — Department of Legal Affairs and DeitY— will review every direction under 33 B above.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Any directions under 33 B above are valid for 3 months, after which they may be extended following a review by the Oversight Committee.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter VII. OFFENCES AND PENALTIES</h5>
<p> </p>
<p dir="ltr">Section 34</p>
<p dir="ltr">Impersonating or attempting to impersonate another person by providing false demographic or biometric information will punishable by imprisonment of up to three years, and/or fine of up to ten thousand rupees.</p>
<p> </p>
<p dir="ltr">Section 35</p>
<p dir="ltr">Changing or attempting to change any demographic or biometric information of an Aadhaar number holder by impersonating another person (or attempting to do so), with the intent of i) causing harm or mischief to an Aadhaar number holder, or ii) appropriating the identity of an Aadhaar number holder, is punishable with imprisonment up to three years and fine up to ten thousand rupees.</p>
<p> </p>
<p dir="ltr">Section 36</p>
<p dir="ltr">Collection of identity information by one not authorised by this Act, by way of pretending otherwise, is punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 37</p>
<p dir="ltr">Intentional disclosure or dissemination of identity information, to any person not authorised under this Act, or in violation of any agreement entered into under this Act, will be punishable with imprisonment up to three years or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 38</p>
<p dir="ltr">The following intentional acts, when not authorised by the UIDAI, will be punishable with imprisonment up to three years and a fine not less than ten lakh rupees:</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">accessing or securing access to the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">downloading, copying or extracting any data from the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">introducing or causing any virus or other contaminant into the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">damaging or causing damage to the data in the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">disrupting or causing disruption to access to CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">causing denial of access to an authorised to the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">revealing information in breach of (D) in Section 28, or Section 29;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">destruction, deletion or alteration of any files in the CIDR;</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">stealing, destruction, concealment or alteration of any source code used by the UIDAI.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 39</p>
<p dir="ltr">Tampering of data in the CIDR or removable storage medium, with the intention to modify or discover information relating to Aadhaar number holder will be punishable with imprisonment up to three years and a fine up to ten thousand rupees.</p>
<p> </p>
<p dir="ltr">Section 40</p>
<p dir="ltr">Use of identity information in violation of Section 8 (3) by a requesting entity will be punishable with imprisonment up to three years and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p dir="ltr"><br class="kix-line-break" />Section 41</p>
<p dir="ltr">Violation of Section 8 (3) or Section 3 (2) by a requesting entity or enrolling agency will be punishable with imprisonment up to one year and/or a fine up to ten thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 42</p>
<p dir="ltr">Any offence against this Act or regulations made under it, for which no specific penalty is provided, will be punishable with be punishable with imprisonment up to one year and/or a fine up to twenty five thousand rupees (in case of an individual), and fine up to one lakh rupees (in case of a company).</p>
<p> </p>
<p dir="ltr">Section 43</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">In case of an offence under Act committed by a Company, all person in charge of and responsible for the conduct of the company will also be held to be guilty and liable for punishment unless they can prove lack of knowledge of the offense or that they had exercised all due diligence to prevent it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">In case an offence is committed by a Company with the consent, connivance or neglect of a director, manager, secretary or other officer of a company, they will also be held guilty of the offence.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 44</p>
<p dir="ltr">This Act will also apply to offences committed outside of India by any person, irrespective of their nationality, if the offence involves any data in the CIDR.</p>
<p> </p>
<p dir="ltr">Section 45</p>
<p dir="ltr">Offences under this Act will not be investigated by police officers below the rank of Inspector of Police.</p>
<p> </p>
<p dir="ltr">Section 46</p>
<p dir="ltr">Penalties imposed under this Act will not prevent imposition of any other penalties or punishment under any other law in force.</p>
<p> </p>
<p dir="ltr">Section 47</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Courts will take cognizance of offences under this Act only upon complaint being made by the UIDAI or any officer authorised by it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">No court inferior to that of a Chief Metropolitan Magistrate or a Chief Judicial Magistrate will try any offence under this Act.</p>
</li></ol>
<p> </p>
<h5 dir="ltr">Chapter VIII. MISCELLANEOUS</h5>
<p> </p>
<p dir="ltr">Section 48</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Central Government has the power to supersede the UIDAI, through a notification, not for longer than six months, in the following circumstances: i) In case of circumstances beyond the control of the UIDAI, ii) The UIDAI has defaulted in complying with directions of the Central Government, affecting financial position of the UIDAI, iii) Public emergency</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Upon publication of notification, Chairperson and Members of the UIDAI must vacate the office</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Powers, functions and duties will be performed by person(s) authorised by the President.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Properties controlled and owned by UIDAI will vest in the Central Government.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Central Government will reconstitute the UIDAI upon expiration of supersession, with fresh appointment of Chairperson and Members.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 49</p>
<p dir="ltr">Chairperson, members, employees etc. are deemed to be public servants within the meaning of section 21 of the Indian Penal Code.</p>
<p> </p>
<p dir="ltr">Section 50</p>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Central Government has the power to issue directions to the UIDAI on questions of policy (to be decided by the Government), except technical and administrative matters and the UIDAI will be bound by it.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI will be given an opportunity to express views before direction is given.</p>
</li></ol>
<p> </p>
<p dir="ltr">Section 51</p>
<p dir="ltr">The UIDAI may delegate its powers and functions to a Member or officer of the UIDAI.</p>
<p> </p>
<p dir="ltr">Section 52</p>
<p dir="ltr">No suit, prosecution or other legal proceedings will lie against the Central Government, UIDAI, Chairperson, any Member, officer, or other employees of the UIDAI for an act done in good faith.</p>
<p> </p>
<p dir="ltr">Section 53</p>
<p dir="ltr">The Central Government has the power to makes Rules for matters prescribed under this provision.</p>
<p> </p>
<p dir="ltr">Section 54</p>
<p dir="ltr">UIDAI has the power to make regulations for matters prescribed under this provision.</p>
<p> </p>
<p dir="ltr">Section 55</p>
<p dir="ltr">Rules and regulations under this Act will be laid before each House of Parliament for a total period of thirty days, both Houses must agree in making modification, and then the Rules will come into effect.</p>
<p> </p>
<p dir="ltr">Section 56</p>
<p dir="ltr">Provisions of this Act are in addition to, and not in derogation of any other law currently in effect.</p>
<p> </p>
<p dir="ltr">Section 57</p>
<p dir="ltr">This Act will not prevent use of Aadhaar number for other purposes under law by the State or other bodies.</p>
<p> </p>
<p dir="ltr">Section 58</p>
<p style="text-align: justify;" dir="ltr">The Central Government may pass an order to remove a difficulty in giving effect to the provisions of this Act, not beyond three years from the commencement of this Act.</p>
<p> </p>
<p dir="ltr">Section 59</p>
<p style="text-align: justify;" dir="ltr">Action take by Central Government under the Resolution of the Government of India for setting up the UIDAI or by the Department of Electronics and Information Technology under the notification including the UIDAI under the Ministry of Communications and Information Technology will be deemed to have been validly done or taken.</p>
<p> </p>
<h5 dir="ltr">STATEMENT OF OBJECTS AND REASONS</h5>
<ol><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Correct identification of targeted beneficiaries for delivery of subsidies, services, frants, benefits, etc has become a challenge for the Government</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">This has proved to be a major hindrance for successful implementation of these programmes.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">In the absence of a credible system to authenticate identity of beneficiaries, it is difficult to ensure that the subsidies, benefits and services reach to intended beneficiaries.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The UIDAI was established to lay down policies and implement the Unique Identification Scheme of the Government, by which residents of India were to be provided unique identity number.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">Upon successful authentication, this number would serve as proof of identity for identification of beneficiaries for transfer of benefits, subsidies, services and other purposes.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">With increased use of the Aadhaar number, steps to ensure security of such information need to be taken and offences pertaining to certain unlawful actions, created.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">It has been felt that the processes of enrolment, authentication, security, confidentiality and use of Aadhaar related information must be made statutory.</p>
</li><li style="list-style-type: upper-alpha;" dir="ltr">
<p dir="ltr">The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 seeks to provide for issuance of Aadhaar numbers to individuals on providing his demographic and biometric information to the UIDAI, requiring Aadhaar numbers for identifying an individual for delivery of benefits, subsidies, and services, authentication of the Aadhaar number, establishment of the UIDAI, maintenance and updating the information of individuals in the CIDR, state measures pertaining to security, privacy and confidentiality of information in possession or control of the UIDAI including information stored in the Central Identities Data Repository and identify offences and penalties for contravention of relevant statutory provisions.</p>
</li></ol>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english'>http://editors.cis-india.org/internet-governance/blog/the-new-aadhaar-bill-in-plain-english</a>
</p>
No publisherAmber Sinha, Vanya Rakesh and Vipul KharbandaUIDPrivacyInternet GovernanceAadhaarBiometrics2016-03-11T04:41:38ZBlog EntryThe Last Chance for a Welfare State Doesn’t Rest in the Aadhaar System
http://editors.cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system
<b>Boosting welfare is the message, which is how Aadhaar is being presented in India. The Aadhaar system as a medium, however, is one that enables tracking, surveillance, and data monetisation. This piece by Sumandro Chattapadhyay was published in The Wire on April 19, 2016.</b>
<p> </p>
<p><em>Originally published in and cross-posted from <a href="http://thewire.in/2016/04/19/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system-30256/">The Wire</a>.</em></p>
<hr />
<p>Once upon a time, a king desired that his parrot should be taught all the ancient knowledge of the kingdom. The priests started feeding the pages of the great books to the parrot with much enthusiasm. One day, the king asked the priests if the parrot’s education has completed. The priests poked the belly of the parrot but it made no sound. Only the rustle of undigested pages inside the belly could be heard. The priests declared that the parrot is indeed a learned one now.</p>
<p>The fate of the welfare system in our country is quite similar to this parrot from Tagore’s parable. It has been forcefully fed identification cards and other official documents (often four copies of the same) for years, and always with the same justification of making it more effective and fixing the leaks. These identification regimes are in effect killing off the welfare system. And some may say that that has been the actual plan in any case.</p>
<p>The Aadhaar number has been recently offered as <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the ‘last chance’ for the ailing welfare system</a> – a last identification regime that it needs to gulp down to survive. This argument wilfully overlooks the acute problems with the Aadhaar project.</p>
<p>Firstly, the ‘last chance’ for a welfare state in India is not provided by implementing a new and improved identification regime (Aadhaar numbers or otherwise), but by enabling citizens to effectively track, monitor, and ensure delivery of welfare, services, and benefits. This ‘opening up’ of the welfare bureaucracy has been most effectively initiated by the Right to Information Act. Instead of a centralised biometrics-linked identity verification platform, which gives the privilege of tracking and monitoring welfare flows only to a few expert groups, an effective welfare state requires the devolution of such privilege and responsibility.</p>
<p>We should harness the tracking capabilities of electronic financial systems to disclose how money belonging to the Consolidated Fund of India travel around state agencies and departmental levels. Instead, the Aadhaar system effectively stacks up a range of entry barriers to accessing welfare – from malfunctioning biometric scanners, to connectivity problems, to the burden of keeping one’s fingerprint digitally legible under all labouring and algorithmic circumstances.</p>
<p>Secondly, authentication of welfare recipients by Aadhaar number neither make the welfare delivery process free of techno-bureaucratic hurdles, nor does it exorcise away corruption. Anumeha Yadav has recently documented the emerging <a href="http://scroll.in/article/805909/in-rajasthan-there-is-unrest-at-the-ration-shop-because-of-error-ridden-aadhaar">‘unrest at the ration shop’ across Rajasthan</a>, as authentication processes face technical and connectivity delays, people get ‘locked out’ of public services for not having or having Aadhaar number with incorrect demographic details, and no mechanisms exist to provide rapid and definitive recourse.</p>
<p>RTI activists at the <a href="http://www.snsindia.org/">Satark Nagrik Sangathan</a> have highlighted that the Delhi ration shops, using Aadhaar-based authentication, maintain only two columns of data to describe people who have come to the shop – those who received their ration, and those who did not (without any indication of the reason). This leads to erasure-by-design of evidence of the number of welfare-seekers who are excluded from welfare services when the Aadhaar-based authentication process fails (for valid reasons, or otherwise).</p>
<p>Reetika Khera has made it very clear that using Aadhaar Payments Bridge to directly transfer cash to a beneficiary’s account, in the best case scenario, <a href="http://www.epw.in/journal/2013/05/commentary/cost-benefit-analysis-uid.html">may only take care of one form of corruption</a>: deception (a different person claiming to be the beneficiary). But it does not address the other two common forms of public corruption: collusion (government officials approving undue benefits and creating false beneficiaries) and extortion (forceful rent seeking after the cash has been transferred to the beneficiary’s account). Evidently, going after only deception does not make much sense in an environment where collusion and extortion are commonplace.</p>
<p>Thirdly, the ‘relevant privacy question’ for Aadhaar is not limited to how UIDAI protects the data collected by it, but expands to usage of Aadhaar numbers across the public and private sectors. The privacy problem created by the Aadhaar numbers does begin but surely not end with internal data management procedures and responsibilities of the UIDAI.</p>
<p>On one hand, the Aadhaar Bill 2016 has reduced the personal data sharing restrictions of the NIAI Bill 2010, and <a href="http://scroll.in/article/806297/no-longer-a-black-box-why-does-the-revised-aadhar-bill-allow-sharing-of-identity-information">has allowed for sharing of all data except core biometrics (fingerprints and iris scan)</a> with all agencies involved in authentication of a person through her/his Aadhaar number. These agencies have been asked to seek consent from the person who is being authenticated, and to inform her/him of the ways in which the provided data (by the person, and by UIDAI) will be used by the agency. In careful wording, the Bill only asks the agencies to inform the person about “alternatives to submission of identity information to the requesting entity” (Section 8.3) but not to provide any such alternatives. This facilitates and legalises a much wider collection of personal demographic data for offering of services by public agencies “or any body corporate or person” (Section 57), which is way beyond the scope of data management practices of UIDAI.</p>
<p>On the other hand, the Aadhaar number is being seeded to all government databases – from lists of HIV patients, of rural citizens being offered 100 days of work, of students getting scholarships meant for specific social groups, of people with a bank account. Now in some sectors, such as banking, inter-agency sharing of data about clients is strictly regulated. But we increasingly have non-financial agencies playing crucial roles in the financial sector – from mobile wallets to peer-to-peer transaction to innovative credit ratings. Seeding of Aadhaar into all government and private databases would allow for easy and direct joining up of these databases by anyone who has access to them, and not at all by security agencies only.</p>
<p>When it becomes publicly acceptable that <a href="http://indianexpress.com/article/opinion/columns/aadhaar-project-uidai-last-chance-for-a-welfare-state/">the <em>money bill route</em> was a ‘remedial’ instrument to put the Rajya Sabha ‘back on track’</a>, one cannot not wonder about what was being remedied by avoiding a public debate about the draft bill before it was presented in Lok Sabha. The answer is simple: <em>welfare is the message, surveillance is the medium</em>.</p>
<p>Acceptance and adoption of all medium requires a message, a content. The users are interested in the message. The message, however, is not the business. Think of Free Basics. Facebook wants people with none or limited access to internet to enjoy parts of the internet at zero data cost. Facebook does not provide the content that the users consume on such internet. The content is created by the users themselves, and also provided by other companies. Facebook own and control the medium, and makes money out of all content, including interactions, passing through it.</p>
<p>The UIDAI has set up a biometric data bank and related infrastructure to offer authentication-as-a-service. As the Bill clarifies, almost all agencies (public or private, national or global) can use this service to verify the identity of Indian residents. Unlike Facebook, the content of these services do not flow through the Aadhaar system. Nonetheless, Aadhaar keeps track of all ‘authentication records’, that is records of whose identity was authenticated by whom, when, and where. This database is gold (data) mine for security agencies in India, and elsewhere. Further, as more agencies use authentication based on Aadhaar numbers, it becomes easier for them to combine and compare databases with other agencies doing the same, by linking each line of transaction across databases using Aadhaar numbers.</p>
<p>Welfare is the message that the Aadhaar system is riding on. The message is only useful for the medium as far as it ensures that the majority of the user population are subscribing to it. Once the users are enrolled, or on-boarded, the medium enables flow of all kinds of messages, and tracking and monetisation (perhaps not so much in the case of UIDAI) of all those flows. It does not matter if the Aadhaar system is being introduced to remedy the broken parliamentary process, or the broken welfare distribution system. What matters is that the UIDAI is establishing the infrastructure for a universal surveillance system in India, and without a formal acknowledgement and legal framework for the same.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system'>http://editors.cis-india.org/internet-governance/blog/the-last-chance-for-a-welfare-state-doesnt-rest-in-the-aadhaar-system</a>
</p>
No publishersumandroUIDData SystemsPrivacyInternet GovernanceDigital IndiaAadhaarBiometrics2016-04-19T13:18:42ZBlog EntryThe Dangers Of Aadhaar-Based Payments That No One Is Talking About
http://editors.cis-india.org/internet-governance/news/bloomberg-mayank-jain-january-17-2017-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about
<b>Less than three months ago, India’s banking sector was hit by a data breach which compromised 32 lakh debit cards and led to fraudulent transactions worth Rs 1.3 crore.</b>
<p style="text-align: justify; ">The article by Mayank Jain was <a class="external-link" href="http://www.bloombergquint.com/business/2017/01/17/the-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about">published by Bloomberg</a> on January 17, 2017. Sunil Abraham was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">The incident started a debate around security of payment systems. But the debate had just about begun when the government’s demonetisation decision dragged attention away from it. Now as the dust settles and as the government starts to push newer means of digital payments, the focus is back on the security of systems being seen as an alternative to cash.</p>
<p style="text-align: justify; ">One such system is Aadhaar-based payments which could potentially allow citizens to pay anytime anywhere with the tap of a finger.<br /><br />In theory, it sounds simple.<br /><br />The Aadhaar-based payment system runs on the existing Aadhaar infrastructure through which a person’s biometrics are used to authenticate the user. Once authenticated, the user can transfer funds directly from one bank account to another without going through a mobile wallet or a card.<br /><br />The payment system requires a smartphone, a working internet connection and a biometric authentication device with the merchant. The customer needn’t have a card or a phone as long as he or she has an Aadhaar-seeded bank account.<br /><br />National Payments Corporation of India has developed this payments infrastructure over the existing Aadhaar-Enabled Payments System, the railroad on which the public distribution system has been functioning for years now.<br /><br />Amitabh Kant, chief executive officer of the government policy think tank NITI Aayog said, earlier this month, that all cards and point-of-sale machines will become redundant in the country in the next two-and-a-half years as Aadhaar-based payments become popular.</p>
<p style="text-align: justify; "><img class="lazy" src="http://images.assettype.com/bloombergquint%2F2017-01%2Ff3e25ea3-f10b-4059-a95d-412cd4f32caf%2FKey%20Facts%20About%20Aadhaar%20Payments%20Payments%20Payments01.png?auto=format&q=60&w=1024&fm=pjpeg" /></p>
<h3 style="text-align: justify; ">A Double-Edged Sword</h3>
<p style="text-align: justify; ">While payments authenticated by biometrics sound like a good idea in a country where less than one in three people actually own a smartphone, there are fears that integrating biometrics with digital payments could prove to be a security headache.<br /><br />The first part of the problem is that Aadhaar, while effective, is not a fool-proof method of authentication and identification failures are not uncommon. Building a payment system atop the Aadhaar system will simply transfer some of these vulnerabilities.</p>
<p style="text-align: justify; "><img class="lazy" src="http://images.assettype.com/bloombergquint%2F2017-01%2F12a47aa6-10f1-4687-a471-a463f876e6d2%2FHow%20Aadhaar%20Payment%20Works.png?auto=format&q=60&w=1024&fm=pjpeg" /></p>
<p style="text-align: justify; ">The possibility of transaction failures due to a biometric mismatch are real, admitted a former high-ranking official from the Unique Identification Authority of India (UIDAI) who spoke to BloombergQuint on the condition of anonymity.<br /><br />Officially, the false reject rate – rejection of a biometric when it’s actually correct – is set at a maximum of 2 percent for devices that get certified from the UIDAI. On the ground, however, failure rates vary widely, said the official quoted above.<br /><br />According to the official statistics on UIDAI, more than 16 lakh Aadhaar-authentication requests failed in the past week. The type of errors encountered ranged from the biometric data not matching the database to demographic details not checking out.<br /><br />The failure rates on Aadhaar Enabled Payment System for interbank transactions (which is a part of all Aadhaar authentication requests) were found to be as high as 60 percent by the Watal Committee on digital payments which published its report in December.<br /><br />Additionally, newer security threats may also emerge if the scope of Aadhaar is widened. These include identity theft if a person’s biometrics are compromised from the payment system, phishing attempts, and the difficulty in revoking access once biometric information is compromised.<br /><br />Biometrics aren’t an exact science, the official quoted above said, while adding that possible glitches have to be weighed against the benefits of offering a widely accessible non-cash mode of payment to citizens.</p>
<h3 style="text-align: justify; ">How Easy Is It To Beat The System?</h3>
<p style="text-align: justify; ">Sunil Abraham, executive director of Bangalore based research organisation Center for Internet and Society (CIS) said that one way to assess how secure a system is to understand the cost and effort that goes into breaching it.<br /><br />In the case of Aadhaar-based payment systems, the costs may not be high.<br /><br />“There’s the gummy finger method which essentially requires some Fevicol or gum to duplicate someone’s fingerprint which can be enough to transact on someone’s behalf without them being there,” said Abraham in a phone conversation with BloombergQuint. “An average person can’t clone a smart card. Just fevicol and glue can help you make a gummy finger. The biometric lobby will say that advanced scanners defeat the gummy finger attack but more advanced scanners are also more expensive.”<br /><br />Also, using more sensitive devices could push up the instance of false rejection of transactions, said Abraham.<br /><br />There are other concerns. Like the fact that devices used for Aadhaar identification could store personal information, which, in turn, could be susceptible to a breach.</p>
<blockquote class="quoted" style="text-align: justify; ">There are five main components in an Aadhaar app transaction – the customer, the vendor, the app, the back-end validation software, and the Aadhaar system itself. There are also two main external concerns – the security of the data at rest on the phone and the security of the data in transit. At all seven points, the customer’s data is vulnerable to attack. <br />Bhairav Acharya, Program Fellow, New America</blockquote>
<p style="text-align: justify; ">Acharya, who works at a U.S.-based think tank called New America and focuses on cyber-law, said the key concern is that Aadhaar data can be stolen and misused.</p>
<p style="text-align: justify; ">“The app and validation software are insecure, the Aadhaar system itself is insecure, the network infrastructure is insecure, and the laws are inadequate.”</p>
<p style="text-align: justify; ">The biometric data collected on the authentication device at a merchant location can potentially be stored on the device as well as the smartphone of a merchant for a long time. Abraham added that there is a possibility that non-certified devices will enter the market, which can store data and use it in the future to do fraudulent transactions.</p>
<p style="text-align: justify; ">The concerns over potential misuse of biometric data by private agencies has also been highlighted by the Supreme Court of India. Earlier this month, the apex court refused to expedite the hearing on a petition regarding Aadhaar being utilised for multiple use cases by private companies. It, however, <a href="http://economictimes.indiatimes.com/articleshow/56352843.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst" target="_blank"><ins>observed</ins></a> that private agencies collecting biometric data “is not a great idea”.</p>
<h3 style="text-align: justify; ">Deficient Privacy Laws</h3>
<p style="text-align: justify; ">Apar Gupta, a Delhi-based lawyer working on cyber security, says that the lack of strong privacy protecting provisions is another concern that should be kept in mind while moving towards an Aadhaar-based payment system.</p>
<p style="text-align: justify; ">“The data stays for a long time with the stakeholders in the system. The requesting agency can keep it for seven years and the UIDAI can store it for five years. There are insufficient safeguards and there’s an absence of privacy law and an independent privacy regulator,” he said.</p>
<p style="text-align: justify; ">Acharya agreed.</p>
<p style="text-align: justify; ">India does not have the necessary laws to deal with a decentralised, biometrically-authenticated, mobile payments system, according to Acharya.</p>
<p style="text-align: justify; ">“Moreover, current laws and policies regarding the Aadhaar project, particularly the centralised database, are inadequate from the point of view of data security and end-user privacy,” he said.</p>
<p style="text-align: justify; ">Abraham of CIS said the issue is wider than Aadhaar. The problem is the lack of a strong data security law.</p>
<blockquote class="quoted" style="text-align: justify; ">We only have a minimal data security law under the Section 43A of the Information and Technology Act which only applies to the private sector. There’s no law that applies to the government. Even 43A has not been applied consistently. There’s no place for you to go and complain if your identity has been compromised.<br />Sunil Abraham, Executive Director, Centre for Internet & Society</blockquote>
<p style="text-align: justify; ">Gupta noted that, in the event of an identity threat, avenues of recourse are also limited. He said the best option is an appeal in the civil court, which is a long drawn out process.</p>
<p style="text-align: justify; ">In final analysis, according to Abraham, credit and debit cards are easier to secure as access can be revoked quickly.</p>
<p style="text-align: justify; ">“The trouble with biometrics is that the chain of trust is harder to establish because too many people can get access to biometrics and then you need to devise these convoluted solutions like hardware secure zones,” Abraham said.</p>
<p style="text-align: justify; ">“So the advantage of going with a smart card is that it can be easily re-secured, but with biometrics, once I compromise it, it’s lifelong.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/bloomberg-mayank-jain-january-17-2017-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about'>http://editors.cis-india.org/internet-governance/news/bloomberg-mayank-jain-january-17-2017-dangers-of-aadhaar-based-payments-that-no-one-is-talking-about</a>
</p>
No publisherpraskrishnaDigital PaymentPrivacyInternet GovernanceDigital MoneyDigital IndiaAadhaar2017-01-17T14:39:53ZNews ItemThe Centre for Internet and Society’s Comments and Recommendations to the: Indian Privacy Code, 2018
http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018
<b>The debate surrounding privacy has in recent times gained momentum due to the Aadhaar judgement and the growing concerns around the use of personal data by corporations and governments.</b>
<p>Click to download the <a class="external-link" href="http://cis-india.org/internet-governance/files/indian-privacy-code">file here</a></p>
<hr />
<p style="text-align: justify; ">As India moves towards greater digitization, and technology becomes even more pervasive, there is a need to ensure the privacy of the individual as well as hold the private and public sector accountable for the use of personal data. Towards enabling public discourse and furthering the development a privacy framework for India, a group of lawyers and policy analysts backed by the Internet Freedom Foundation (IFF) have put together a draft a citizen's bill encompassing a citizen centric privacy code that is based on seven guiding principles.<a href="#_ftn1"><sup><sup>[1]</sup></sup></a> This draft builds on the Citizens Privacy Bill, 2013 that had been drafted by CIS on the basis of a series of roundtables conducted in India.<a href="#_ftn2"><sup><sup>[2]</sup></sup></a> Privacy is one of the key areas of research at CIS and we welcome this initiative and hope that our comments make the Act a stronger embodiment of the right to privacy.</p>
<h1 style="text-align: justify; ">Section by Section Recommendations</h1>
<h2 style="text-align: justify; ">Preamble</h2>
<p style="text-align: justify; "><b>Comment:</b> The Preamble specifies that the need for privacy has increased in the digital age, with the emergence of big data analytics.</p>
<p style="text-align: justify; "><b>Recommendation:</b> It could instead be worded as ‘with the emergence of technologies such as big data analytics’, so as to recognize the impact of multiple technologies and processes including big data analytics.</p>
<p style="text-align: justify; "><b>Comment:</b> The Preamble states that it is necessary for good governance that all interceptions of communication and surveillance be conducted in a systematic and transparent manner subservient to the rule of law.</p>
<p style="text-align: justify; ">Recommendation: The word ‘systematic’ is out of place, and can be interpreted incorrectly. It could instead be replaced with words such as ‘necessary’, ‘proportionate’, ‘specific’, and ‘narrow’, which would be more appropriate in this context.</p>
<h2 style="text-align: justify; ">Chapter 1</h2>
<h2 style="text-align: justify; ">Preliminary</h2>
<p style="text-align: justify; "><b>Section 2: </b>This Section defines the terms used in the Act.</p>
<p style="text-align: justify; "><b>Comment:</b> Some of the terms are incomplete and a few of the terms used in the Act have not been included in the list of definitions.</p>
<p style="text-align: justify; "><b>Recommendations:</b></p>
<ul style="text-align: justify; ">
<li>The term “effective consent” needs to be defined. The term is first used in the Proviso to Section 7(2), which states “Provided that effective consent can only be said to have been obtained where...:”It is crucial that the Act defines effective consent especially when it is with respect to sensitive data.</li>
<li>The term “open data” needs to be defined. The term is first used in Section 5 that states the exemptions to the right to privacy. Subsection 1 clause ii states as follows “the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes which may be classified as open data by the Privacy Commission”. Hence the term open data needs to be defined in order to ensure that there is no ambiguity in terms of what open data means.</li>
<li>The Act does not define “erasure”, although the term erasure does come under the definition of destroy (Section 2(1)(p)). There are some provisions that use the word erasure , hence if erasure and destruction mean different acts then the term erasure needs to be defined, otherwise in order to maintain uniformity the sections where erasure is used could be substituted with the term “destroy” as defined under this Act.</li>
<li>The definition of “sensitive personal data” does not include location data and identification numbers. The definition of sensitive data must include location data as the Act also deals in depth with surveillance. With respect to identification numbers, the Act needs to consider identification numbers (eg. the Aadhaar number, PAN number etc.) as sensitive information as this number is linked to a person's identity and can reveal sensitive personal data such as name, age, location, biometrics etc. Example can be taken from Section 4(1) of the GDPR<a href="#_ftn3"><sup><sup>[3]</sup></sup></a> which identifies location data as well as identification numbers as sensitive personal data along with other identifies such as biometric data, gender race etc.</li>
<li>The Act defines consent as the “unambiguous indication of a data subject’s agreement” however, the definition does not indicate that there needs to be an informed consent. Hence the revised definition could read as follows “the informed and unambiguous indication of a data subject’s agreement”. It is also unclear how this definition of consent relates to ‘effective consent’. This relationship needs to be clarified.</li>
<li>The Act defines ‘data controller’ in Section 2(1)(l) as “ any person including appropriate government..”. In order to remove any ambiguity over the definition of the term person, the definition could specify that the term person means any natural or legal person.</li>
<li>The Act defines ‘data processor’ in Section (2(1)(m) as “means any person including appropriate government”. In order to remove any ambiguity over the definition of the term ‘any person’, the definition could specify that the term person means any natural or legal person. </li>
</ul>
<h2 style="text-align: justify; ">CHAPTER II</h2>
<h2 style="text-align: justify; ">Right to Privacy</h2>
<p style="text-align: justify; "><b>Section 5: </b>This section provides exemption to the rights to privacy<b>. </b></p>
<p style="text-align: justify; "><b>Comment: </b>Section 5(1)(ii) states that the collection, storage, processing or dissemination by a natural person of personal data for a strictly non-commercial purposes are exempted from the provisions of the right to privacy. This clause also states that this data may be classified as open data by the Privacy Commission. This section hence provides individuals the immunity from collection, storage, processing and dissemination of data of another person. However this provision fails to state what specific activities qualify as non commercial use.</p>
<p style="text-align: justify; "><b>Recommendation: </b>This provision could potentially be strengthened by specifying that the use must be in the public interest. The other issue with this subsection is that it fails to define open data. If open data was to be examined using its common definition i.e “data that can be freely used, modified, and shared by anyone for any purpose”<a href="#_ftn4"><sup><sup>[4]</sup></sup></a> then this section becomes highly problematic. As a simple interpretation would mean that any personal data that is collected, stored, processed or disseminated by a natural person can possibly become available to anyone. Beyond this, India has an existing framework governing open data. Ideally the privacy commissioner could work closely with government departments to ensure that open data practices in India are in compliance with the privacy law.</p>
<h2 style="text-align: justify; ">CHAPTER III</h2>
<h2 style="text-align: justify; ">Protection of Personal Data</h2>
<h2 style="text-align: justify; ">PART A</h2>
<p style="text-align: justify; "><b>Notice by data controller </b></p>
<p style="text-align: justify; "><b>Section 6: </b>This section specifies the obligations to be followed by data controllers in their communication, to maintain transparency and lays down provisions that all communications by Data Controllers need to be complied with.</p>
<p style="text-align: justify; "><b>Comment:</b> There seems to be a error in the <i>Proviso </i>to this section. The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part <b>shall may be </b>refused when the Data Controller is, unable to identify or has a well founded basis for reasonable doubts as to the identity of the Data Subject or are manifestly unfounded, excessive and repetitive, with respect to the information sought by the Data Subject ”.</p>
<p style="text-align: justify; "><b>Recommendation: </b>The proviso could read as follows “The proviso states “Provided that all communications by the Data Controllers including but not limited to the rights of Data Subjects under this part <b><i>may</i></b> be refused when the Data Controller is…”. We suggest the use of the ‘may’ as this makes the provision less limiting to the rights of the data controller.</p>
<p style="text-align: justify; ">Additionally, it is not completely clear what ‘included but not limited to...’ would entail. This could be clarified further.</p>
<h2 style="text-align: justify; ">PART B</h2>
<h2 style="text-align: justify; ">CONSENT OF DATA SUBJECTS</h2>
<p style="text-align: justify; "><b>Section 10: </b>This section talks about the collection of personal data.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3) lays down the information that a person must provide before collecting the personal data of an individual.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3)(xi) states as follows “the time and manner in which it will be destroyed, or the criteria used to Personal data collected in pursuance of a grant of consent by the data subject to whom it pertains shall, if that consent is subsequently withdrawn for any reason, be destroyed forthwith: determine that time period;”. There seems to be a problem with the sentence construction and the rather complex sentence is difficult to understand.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section could be reworked in such as way that two conditions are clear, one - the time and manner in which the data will be destroyed and two the status of the data once consent is withdrawn.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 10(3)(xiii) states that the identity and contact details of the data controller and data processor must be provided. However it fails to state that the data controller should provide more details with regard to the process for grievance redressal. It does not provide guidance on what type of information needs to go into this notice and the process of redressal. This could lead to very broad disclosures about the existence of redress mechanisms without providing individuals an effective avenue to pursue.</p>
<p style="text-align: justify; "><b>Recommendation: </b>As part of the requirement for providing the procedure for redress, data controllers could specifically be required to provide the details of the Privacy Officers, privacy commissioner, as well as provide more information on the redressal mechanisms and the process necessary to follow.</p>
<p style="text-align: justify; "><b>Section 11:</b>This section lays out the provisions where collection of personal data without prior consent is possible.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 11 states “Personal data may be collected or received from a third party by a Data Controller the prior consent of the data subject only if it is:..”. However as the title of the section suggests the sentence could indicate the situations where it is permissible to collect personal data without prior consent from the data subject”. Hence the word “without” is missing from the sentence. Additionally the sentence could state that the personal data may be collected or received directly from an individual or from a third party as it is possible to directly collect personal data from an individual without consent.</p>
<p style="text-align: justify; "><b>Recommendation:</b>The sentence could read as “Personal data may be collected or received from an <b>individual or a third party </b>by a Data Controller <b><i>without</i></b> the prior consent of the data subject only if it is:..”.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 11(1)(i) states that the collection of personal data without prior consent when it is “necessary for the provision of an emergency medical service or essential services”. However it does not specify the kind or severity of the medical emergency.</p>
<p style="text-align: justify; "><b>Recommendation: </b>In addition to medical emergency another exception could be made for imminent threats to life.</p>
<p style="text-align: justify; "><b>Section 12: </b>This section details the Special provisions in respect of data collected prior to the commencement of this Act.</p>
<p style="text-align: justify; "><b>Comment:</b> This section states that all data collected, processed and stored by data controllers and data processors prior to the date on which this Act comes into force shall be destroyed within a period of two years from the date on which this Act comes into force. Unless consent is obtained afresh within two years or that the personal data has been anonymised in such a manner to make re-identification of the data subject absolutely impossible. However this process can be highly difficult and impractical in terms of it being time consuming, expensive particularly, in cases of analog collections of data. This is especially problematic in cases where the controller cannot seek consent of the data subject due to change in address or inavailability or death. This will also be problematic in cases of digitized government records.</p>
<p style="text-align: justify; "><b>Recommendation:</b> We suggest three ways in which the issue of data collected prior to the Act can be handled. One way is to make a distinction on the data based on whether the data controller has specified the purpose of the collection before collecting the data. If the purpose was not defined then the data can be deleted or anonymised. Hence there is no need to collect the data afresh for all the cases. The purpose of the data can also be intimated to the data subject at a later stage and the data subject can choose if they would like the controller to store or process the data.The second way is by seeking consent afresh only for the sensitive data. Lastly, the data controller could be permitted to retain records of data, but must necessarily obtain fresh consent before using them. By not having a blanket provision of retrospective data deletion the Act can address situations where deletion is complicated or might have a potential negative impact by allowing storage, deletion, or anonymisation of data based on its purpose and kind.</p>
<p style="text-align: justify; "><b>Comment:</b> Section (2)(1)(i) of the Act states that the data will not be destroyed provided that <b>effective consent</b> is obtained afresh within two years. However as stated earlier the Act does not define effective consent.</p>
<p style="text-align: justify; ">Recommendation: The term <b>effective consent </b>needs to be defined in order to bring clarity to this provision.</p>
<h2 style="text-align: justify; ">PART C</h2>
<h2 style="text-align: justify; ">FURTHER LIMITATIONS ON DATA CONTROLLERS</h2>
<p style="text-align: justify; "><b>Section 16: </b>This section deals with the security of personal data and duty of confidentiality.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 16(2) states “ Any person who collects, receives, stores, processes or otherwise handles any personal data shall be subject to a duty of confidentiality and secrecy in respect of it.” Similarly Section 16(3) states “data controllers and data processors shall be subject to a duty of confidentiality and secrecy in respect of personal data in their possession or control. However apart from the duty of confidentiality and secrecy the data collectors and processors could also have a duty to maintain the security of the data.” Though it is important for confidentiality and secrecy to be maintained, ensuring security requires adequate and effective technical controls to be in place.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section could also emphasise on the duty of the data controllers to ensure the security of the data. The breach notification could include details about data that is impacted by a breach or attach as well as the technical details of the infrastructure compromised.</p>
<p style="text-align: justify; "><b>Section 17:</b> This section details the conditions for the transfer of personal data outside the territory of India.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 17 allows a transfer of personal data outside the territory of India in 3 situations- If the Central Government issues a notification deciding that the country/international organization in question can ensure an adequate level of protection, compatible with privacy principles contained in this Act; if the transfer is pursuant to an agreement which binds the recipient of the data to similar or stronger conditions in relation to handling the data; or if there are appropriate legal instruments and safeguards in place, to the satisfaction of the data controller. However, there is no clarification for what would constitute ‘adequate’ or ‘appropriate’ protection, and it does not account for situations in which the Government has not yet notified a country/organisation as ensuring adequate protection. In comparison, the GDPR, in Chapter V<a href="#_ftn5"><sup><sup>[5]</sup></sup></a>, contains factors that must be considered when determining adequacy of protection, including relevant legislation and data protection rules, the existence of independent supervisory authorities, and international commitments or obligations of the country/organization. Additionally, the GDPR allows data transfer even in the absence of the determination of such protection in certain instances, including the use of standard data protection clauses, that have been adopted or approved by the Commission; legally binding instruments between public authorities; approved code of conduct, etc. Additionally, it allows derogations from these measures in certain situations: when the data subject expressly agrees, despite being informed of the risks; or if the transfer is necessary for conclusion of contract between data subject and controller, or controller and third party in the interest of data subject; or if the transfer is necessary for reasons of public interest, etc. No such circumstances are accounted for in Section 17.</p>
<p style="text-align: justify; "><b>Recommendation: </b>Additionally, data controllers and processors could be provided with a period to allow them to align their policies towards the new legislation. Making these provisions operational as soon as the Act is commenced might put the controllers or processors guilty of involuntary breaching the provisions of the Act.</p>
<p style="text-align: justify; "><b>Section 19: </b>This section<b> </b>states the special provisions for sensitive personal data.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 19(2) states that in addition to the requirements set out under sub-clause (1), the Privacy Commission shall set out additional protections in respect of:i.sensitive personal data relating to data subjects who are minors; ii.biometric and deoxyribonucleic acid data; and iii.financial and credit data.This however creates additional categories of sensitive data apart from the ones that have already been created.<a href="#_ftn6"><sup><sup>[6]</sup></sup></a> These additional categories can result in confusion and errors.</p>
<p style="text-align: justify; "><b>Recommendation: </b>Sensitive data must not be further categorised as this can lead to confusion and errors. Hence all sensitive data could be subject to the same level of protection.</p>
<p style="text-align: justify; "><b>Section 20:</b> This section states the special provisions for data impact assessment.</p>
<p style="text-align: justify; "><b>Comment:</b> This section states that all data impact assessment reports will be submitted periodically to the State Privacy commission. This section does not make provisions for instances of circumstances in which such records may be made public. Additionally the data impact assessment could also include a human rights impact assessment.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The section could also have provisions for making the records of the impact assessment or relevant parts of the assessment public. This will ensure that the data controllers / processors are subjected to a standard of accountability and transparency. Additionally as privacy is linked to human rights the data impact assessment could also include a human rights impact assessment. The Act could further clarify the process for submission to State Privacy Commissions and potential access by the Central Privacy Commission to provide clarity in process.</p>
<p style="text-align: justify; ">Section 20 requires controllers who use new technology to assess the risks to the data protection rights that occur from processing. ‘New technology’ is defined to include pre-existing technology that is used anew. Additionally, the reports are required to be sent to the State Privacy Commission periodically. However, there is no clarification on the situations in which such an assessment becomes necessary, or whether all technology must undergo such an assessment before their use. Additionally, the differentiation between different data processing activities based on whether the data processing is incidental or a part of the functioning needs to be clarified. This differentiation is necessary as there are some data processors and controllers who need the data to function; for instance an ecommerce site would require your name and address to deliver the goods, although these sites do not process the data to make decisions. This can be compared to a credit rating agency that is using the data to make decisions as to who will be given a loan based on their creditworthiness. Example can taken from the GDPR, which in Article 35, specifies instances in which a data impact assessment is necessary: where a new technology, that is likely to result in a high risk to the rights of persons, is used; where personal aspects related to natural persons are processed automatically, including profiling; where processing of special categories of data (including data revealing ethnic/racial origin, sexual orientation etc), biometric/genetic data; where data relating to criminal convictions is processed; and with data concerning the monitoring of publicly accessible areas. Additionally, there is no requirement to publish the report, or send it to the supervising authority, but the controller is required to review the processor’s operations to ensure its compliance with the assessment report.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The reports could be sent to a central authority, which according to this Act is the Privacy Commission, along with the State Privacy Commission. Additionally there needs to be a differentiation between the incidental and express use of data. The data processors must be given at least a period of one year after the commencement of the Act to present their impact assessment report. This period is required for the processors to align themselves with the provisions of the Act as well as conduct capacity building initiatives.</p>
<h2 style="text-align: justify; ">PART C</h2>
<h2 style="text-align: justify; ">RIGHTS OF A DATA SUBJECT</h2>
<p style="text-align: justify; "><b>Section 21: </b>This section explains the right of the data subject with regard to accessing her data. It states that the data subject has the right to obtain from the data controller information as to whether any personal data concerning her is collected or processed. The data controller also has to not only provide access to such information but also the personal data that has been collected or processed.</p>
<p style="text-align: justify; "><b>Comment:</b> This section does not provide the data subject the right to seek information about security breaches.</p>
<p style="text-align: justify; "><b>Recommendation: </b>This section could state that the data subject has the right to seek information about any security breaches that might have compromised her data (through theft, loss, leaks etc.). This could also include steps taken by the data controller to address the immediate breach as well as steps to minimise the occurrence of such breaches in the future.<a href="#_ftn7"><sup><sup>[7]</sup></sup></a></p>
<h2 style="text-align: justify; ">CHAPTER IV</h2>
<h2 style="text-align: justify; ">INTERCEPTION AND SURVEILLANCE</h2>
<p style="text-align: justify; "><b>Section 28: </b>This section lists out the special provisions for competent organizations.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 28(1) states ”all provisions of Chapter III shall apply to personal data collected, processed, stored, transferred or disclosed by competent organizations unless when done as per the provisions under this chapter ”.This does not make provisions for other categories of data such as sensitive data.</p>
<p style="text-align: justify; "><b>Recommendation:</b> This section needs to include not just personal data but also sensitive data, in order to ensure that all types of data are protected under this Act.</p>
<p style="text-align: justify; "><b>Section 30:</b> This section states the provisions for prior authorisation by the appropriate Surveillance and Interception Review Tribunal.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 30(5) states “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception, or where communications relate to <b>medical, journalistic, parliamentary or legally privileged material</b> may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission as to the necessity for the interception and the safeguards providing for minimizing the material intercepted to the greatest extent possible and the destruction of all such material that is not strictly necessary to the purpose of the interception.” This section needs to state why these categories of communication are more sensitive than others. Additionally, interceptions typically target people and not topics of communication - thus medical may be part of a conversation between two construction workers and a doctor will communicate about finances.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The section could instead of singling out “medical, journalistic, parliamentary or legally privileged material” state that “any interception involving the infringement of the privacy of individuals who are not the subject of the intended interception may be involved, shall satisfy additional conditions including the provision of specific prior justification in writing to the Office for Surveillance Reform of the Privacy Commission.</p>
<p style="text-align: justify; "><b>Section 37</b>: This section details the bar against surveillance.</p>
<p style="text-align: justify; "><b>Comment: </b>Section 37(1) states that “no person shall order or carry out, or cause or assist the ordering or carrying out of, any surveillance of another person”. The section also prohibits indiscriminate monitoring, or mass surveillance, unless it is necessary and proportionate to the stated purpose. However, it is unclear whether this prohibits surveillance by a resident of their own residential property, which is allowed in Section 5, as the same could also fall within ‘indiscriminate monitoring/mass surveillance’. For instance, in the case of a camera installed in a residential property, which is outward facing, and therefore captures footage of the road/public space.</p>
<p style="text-align: justify; "><b>Recommendation:</b> The Act needs to bring more clarity with regard to surveillance especially with respect to CCTV cameras that are installed in private places, but record public spaces such as public roads. The Act could have provisions that clearly define the use of CCTV cameras in order to ensure that cameras installed in private spaces are not used for carrying out mass surveillance. Further, the Act could address the use of emerging techniques and technology such as facial recognition technologies, that often rely on publicly available data.</p>
<h2 style="text-align: justify; ">CHAPTER V</h2>
<h2 style="text-align: justify; ">THE PRIVACY COMMISSION</h2>
<p style="text-align: justify; "><b>Section 53:</b> This section details the powers and functions of the Privacy Commission.</p>
<p style="text-align: justify; "><b>Comment:</b> Section 53(2)(xiv) states that the Privacy Commission shall publish periodic reports “providing description of performance, findings, conclusions or recommendations of any or all of the functions assigned to the Privacy Commission”. However this Section does not make provisions for such reporting to happen annually and to make them publicly available, as well as contain details including financial aspects of matters contained within the Act.</p>
<p style="text-align: justify; "><b>Recommendation: </b>The functions could include a duty to disclose the information regarding the functioning and financial aspects of matters contained within the Act. Categories that could be included in such reports include: the number of data controllers, number of data processors, number of breaches detected and mitigated etc.</p>
<h2 style="text-align: justify; ">CHAPTER IX</h2>
<h2 style="text-align: justify; ">OFFENCES AND PENALTIES</h2>
<p style="text-align: justify; "><b> Sections 73 to 80:</b> These sections lay out the different punishments for controlling and processing data in contravention to the provisions of this Act.</p>
<p style="text-align: justify; "><b>Comment:</b> These sections, while laying out different punishments for controlling and processing data in contravention to the provisions of this Act, mets out a fine extending upto Rs. 10 crore. This is problematic as it does not base these penalties on the finer aspects of proportionality, such as offences that are not as serious as the others.<br /> <br /> <b>Recommendation:</b> There could be a graded approach to the penalties based on the degree of severity of the offence.This could be in the form of name and shame, warnings and penalties that can be graded based on the degree of the offence. <br /> ----------------------------------------------------------------------</p>
<p style="text-align: justify; ">Additional thoughts: As India moves to a digital future there is a need for laws to be in place to ensure that individual's rights are not violated. By riding on the push to digitization, and emerging technologies such as AI, a strong all encompassing privacy legislation can allow India to leapfrog and use these emerging technologies for the benefit of the citizens without violating their privacy. A robust legislation can also ensure a level playing field for data driven enterprises within a framework of openness, fairness, accountability and transparency.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><a href="#_ftnref1"><sup><sup>[1]</sup></sup></a> These seven principles include: Right to Access, Right to Rectification, Right to Erasure And Destruction of Personal Data,Right to Restriction Of Processing, Right to Object, Right to Portability of Personal Data,Right to Seek Exemption from Automated Decision-Making.</p>
<p style="text-align: justify; "><a href="#_ftnref2"><sup><sup>[2]</sup></sup></a>The Privacy (Protection) Bill 2013: A Citizen’s Draft, Bhairav Acharya, Centre for Internet & Society, https://cis-india.org/internet-governance/blog/privacy-protection-bill-2013-citizens-draft</p>
<p style="text-align: justify; "><a href="#_ftnref3"><sup><sup>[3]</sup></sup></a>General Data Protection Regulation, available at https://gdpr-info.eu/art-4-gdpr/.</p>
<p style="text-align: justify; "><a href="#_ftnref4"><sup><sup>[4]</sup></sup></a> Antonio Vetro, Open Data Quality Measurement Framework: Definition and Application to Open Government Data, available at https://www.sciencedirect.com/science/article/pii/S0740624X16300132</p>
<p style="text-align: justify; "><a href="#_ftnref5"><sup><sup>[5]</sup></sup></a> General Data Protection Regulation, available at https://gdpr-info.eu/chapter-5/.</p>
<p style="text-align: justify; "><a href="#_ftnref6"><sup><sup>[6]</sup></sup></a> Sensitive personal data under Section 2(bb) includes, biometric data; deoxyribonucleic acid data;<br /> sexual preferences and practices;medical history and health information;political affiliation;<br /> membership of a political, cultural, social organisations including but not limited to a trade union as defined under Section 2(h) of the Trade Union Act, 1926;ethnicity, religion, race or caste; and<br /> financial and credit information, including financial history and transactions.</p>
<p style="text-align: justify; "><a href="#_ftnref7"><sup><sup>[7]</sup></sup></a> Submission to the Committee of Experts on a Data Protection Framework for India, Amber Sinha, Centre for Internet & Society, available at https://cis-india.org/internet-governance/files/data-protection-submission</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018'>http://editors.cis-india.org/internet-governance/blog/the-centre-for-internet-and-society2019s-comments-and-recommendations-to-the-indian-privacy-code-2018</a>
</p>
No publisherShweta Mohandas, Elonnai Hickok, Amber Sinha and Shruti TrikanandAadhaarInternet GovernancePrivacy2018-07-20T13:55:46ZBlog EntryThe Aadhaar of all things
http://editors.cis-india.org/internet-governance/news/hindu-businessline-shriya-mohan-the-aadhaar-of-all-things
<b>From a severely critical stand against Aadhaar in 2014, the Modi-led BJP in power has made a sharp U-turn to bulldoze its way into having every Indian scanned, tagged and labelled. A timeline of the country’s chequered date with the unique identification project.</b>
<p>The article by Shriya Mohan was published in the <a class="external-link" href="http://www.thehindubusinessline.com/blink/cover/the-aadhaar-of-all-things/article9609603.ece">Hindu Businessline </a>on March 31, 2017. Sunil Abraham was quoted.</p>
<hr />
<p class="body" style="text-align: justify; ">You’ve probably read the WhatsApp joke about a post-Aadhaar scenario in 2020 India. A man orders pizza over phone. He is asked for his Aadhaar number first. He then orders a family-size seafood pizza, only to be reminded by the attendant about his high blood pressure and cholesterol levels (thanks to his Aadhaar history visible to everybody “on the system”) and is advised to order the low-fat Hokkien Mee pizza instead, based on his recent search history on Hokkien cuisine. As if this isn’t creepy enough, the pizza guy refuses a card payment, citing the man’s maxed-out credit cards, advises against ATM withdrawal owing to his massive overdraft and even decides to hold off the free cola offer given his dire health situation. When the man turns livid, he is told to mind his language, given that in 2007 he was already imprisoned for verbally abusing a policeman!</p>
<p class="body" style="text-align: justify; ">2020 is two and a half years away, and the WhatsApp scenario appears less incredulous by the day.</p>
<p class="body" style="text-align: justify; ">By the government’s latest estimate, 112,01,12,468 Aadhaar cards have been issued since January 2009, when the Unique Identification Authority of India (UIDAI) was set up under the Planning Commission. So if you are an adult Indian resident without an Aadhaar card, you are in a two per cent minority (98 per cent adults are covered).</p>
<p class="body" style="text-align: justify; ">Last week, Finance Minister Arun Jaitley said the 12-digit number would be the single monolith identity for all Indians in the coming years, replacing every other identity card. The government is serious because each week a new scheme is added to the three dozen schemes in which Aadhaar has been made mandatory. All the 84 schemes under the direct subsidy benefit transfer programme are expected to follow suit.</p>
<p class="body" style="text-align: justify; ">Here are just a few instances in which you should be ready to whip out your Aadhaar card — a free midday meal at a government school, access to Sarv Shiksha Abhiyan, LPG subsidy and foodgrains under the public distribution system, six scholarship schemes for students with disabilities, getting your EPF pensions, booking a train ticket online, getting a backward caste quota or benefit, and, according to the most recent directive in the Finance Bill, filing your tax returns.</p>
<p class="body" style="text-align: justify; ">Why did a dispensation so critical of Aadhaar in 2014 make a sharp U-turn to bulldoze its way into having every single Indian citizen scanned, tagged and labelled?</p>
<p class="body" style="text-align: justify; ">The earliest felt need for an identification project can be traced to the Kargil Review Committee, instituted by the Vajpayee Government in 1999, in the wake of the Indo-Pak war. The Krishnaswamy Subrahmanyam-led panel had recommended a citizenship database for the identification of legitimate Indian citizens living in border areas.</p>
<p class="body" style="text-align: justify; ">As outlined in a Scroll article, this quickly expanded to include all Indians under the Multipurpose National Identity Card project, which was pilot tested in a few villages. The Citizenship Act was also amended to give a legislative backing to the scheme, which built on the Bharatiya Janata Party’s general stance against illegal immigrants.</p>
<p class="body" style="text-align: justify; "><b>The search for identity</b></p>
<p class="body" style="text-align: justify; ">The Citizenship Act was amended in 2004 by the incumbent Congress government to make way for the National Population Register (NPR), a database of the identities of all Indian residents, maintained by the Registrar General and Census Commissioner of India.</p>
<p class="body" style="text-align: justify; ">Eventually, in 2009, Aadhaar, or UIDAI, surfaced as a 12-digit identification number that served as proof of identity and address — meaning, it applies to all residents whether they are citizens or not, unlike with the NPR. Aadhaar, which means ‘basis’ in Hindi, is intended to be an all-encompassing substratum of identities that can provide “instant access to services like banking, mobile phone connections and other government and non-government services”. The United Progressive Alliance government managed to link it to its Direct Benefit Transfer (DBT) system for subsidies provided to targeted groups.</p>
<p class="body" style="text-align: justify; ">As the main Opposition party, the BJP had felt that the Aadhaar number ought to have been given only to Indian citizens, and not all residents, which, in its view, would include millions of illegal immigrants.</p>
<p class="_hoverrDone body" style="text-align: justify; ">Nandan Nilekani, the former CEO of IT giant Infosys, was appointed UIDAI chairman in July 2009. The first Aadhaar number was issued in September 2010, and then the pace accelerated: 100 million by November 2011, 200 million by February 2012 and 500 million by end of 2013. “We felt speed was strategic. Doing and scaling things quickly was critical. If you move very quickly it doesn’t give opposition the time to consolidate,” Nilekani told Forbes India in a 2013 interview.</p>
<p class="body" style="text-align: justify; ">Here’s the part most of us forget: The largest opposition that Nilekani was referring to at that time was the BJP.</p>
<p class="body" style="text-align: justify; ">“The people who thought of themselves as having given birth to IT in this country refused to listen to a common man like me. Even the SC has demanded answers,” Narendra Modi, then Gujarat chief minister, had said and alleged that the Aadhaar programme was a bundle of lies to loot the country’s treasury.</p>
<p class="body" style="text-align: justify; ">As the BJP’s prime ministerial candidate for the 2014 Lok Sabha elections, days ahead of delivering the party’s biggest-ever victory, he had tweeted: “On Aadhaar, neither the Team that I met nor PM could answer my Qs on security threat it can pose. There is no vision, only political gimmick.” Recently, when Aadhaar enrolments had crossed the billion mark, this tweet was dug out prominently.</p>
<p class="body" style="text-align: justify; "><b>The U-turn</b></p>
<p class="body" style="text-align: justify; ">So, what changed? How did the Aadhaar’s primary opposition become it’s key crusader?</p>
<p class="body" style="text-align: justify; ">There were two meetings that supposedly changed the destiny of the Aadhaar project. In the first week of June 2014, as Nilekani was vacating his government-allotted Lutyen’s bungalow as UIDAI chief, he met Modi and Jaitley and persuaded the new regime to persist with Aadhaar. The more important meeting was with Vijay Madan, the UIDAI director general and mission director. According to a Governance Now article, when the UID team spoke of the potential savings from plugging subsidy leakages, and weeding out “ghost beneficiaries”, Modi asked them to give a precise estimate. The figure was “up to ₹50,000 crore a year” or a good 9.4 per cent of India’s ₹5,31,177-crore fiscal deficit.</p>
<p class="body" style="text-align: justify; ">Modi in his keenness to showcase the arrival of “acche din” immediately sought a 100-crore enrolment target at the ‘earliest’, putting paid to speculations that the new government would shelve the UIDAI project. A funding of ₹2,039.64 crore was formalised in the 2014-2015 Budget presented a week later, to create the infrastructure to enrol 30 crore people to add to the 70 crore already enrolled. The UIDAI targeted the 1-billion mark by the end of that fiscal.</p>
<p class="body" style="text-align: justify; "><b>Money bill to beat legal hurdles</b></p>
<p class="body" style="text-align: justify; ">It was in November 2012 that the SC admitted a PIL filed by retired Karnataka High Court judge KS Puttaswamy and advocate Parvesh Khanna, questioning the government’s decision to issue Aadhaar even as the National Identification Authority of India Bill 2010 was pending before the Rajya Sabha since December 3, 2010. They argued that there was no legislative backing for obtaining personal information. Also, the proposed law was rejected by the Parliamentary Standing Committee on Finance.</p>
<p class="body" style="text-align: justify; ">The PIL argued that linking the Aadhaar number with food security, LPG subsidy, the Employees’ Provident Fund and other direct benefit transfers made the enrolment mandatory, thereby falsifying the government’s claim that it was voluntary. Several other PILs too voiced similar privacy concerns.</p>
<p class="body" style="text-align: justify; ">Currently, there are two legal strictures governing the validity of Aadhaar: the apex court order of October 15, 2015, limiting the card’s voluntary use to six schemes (PDS, MGNREGA, LPG, NEPS and social assistance programmes) and prohibiting the government from making it mandatory for receiving any benefits or services; and the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, which is under challenge today. Both strictures have distinct operational status, but petitioners argue that recent government directives making Aadhaar mandatory are leading them to wonder whether the SC’s interim order is overshadowed by the Aadhaar Act or if the government is defying the court.</p>
<p class="body" style="text-align: justify; ">On March 3, 2016, in a surprise move, to put all dissent to rest, the Aadhaar Act was introduced as a Money Bill in Parliament to give it legislative backing. Things moved pretty fast thereon. On March 11, the Aadhaar Act 2016 was passed in the Lok Sabha. On March 26, the Act was notified. Accusing the BJP-led NDA government of showing “utter contempt” for the Rajya Sabha by taking the Money Bill route, senior Congress leader Jairam Ramesh challenged it in the Supreme Court in April. He likened the use of the Money Bill, which was passed overruling amendments moved in the Rajya Sabha, to “knocking a nail in the coffin of the Upper House”.</p>
<p class="body" style="text-align: justify; ">The government’s move took many, including Aadhaar advocates, by surprise. “We need to separate Aadhaar as identity from its specific functionality for which it’s used,” says Praveen Chakravarty, a senior fellow at the IDFC institute and a former member of Nilekani’s core team. He believes that just as a voter ID alone isn’t enough to vote, seeing the ownership of an Aadhaar card as key for any transaction is “fear-mongering”. Its use will still involve a process of checks and balances.</p>
<p class="body" style="text-align: justify; ">But can’t thumb prints be replicated with Fevicol?</p>
<p class="body" style="text-align: justify; ">“Sure, there could be failures, as there are with any system. But this is a far more foolproof method than any we’ve had before. Internationally also, biometric is to authenticate a higher level of security.”</p>
<p class="body" style="text-align: justify; "><b>The argument for privacy</b></p>
<p class="body" style="text-align: justify; ">“Aadhaar has the potential to improve welfare service delivery. But it has to be achieved in an inclusive manner befitting a truly liberal society and not through coercion,” says Chakravarty.</p>
<p class="body" style="text-align: justify; ">His only misgiving is with the use of the Money Bill to introduce the Aadhaar, without any right to privacy. “It should have gone through the process of debate in Parliament. Then it wouldn’t have been passed without a strong right to privacy safeguard,” he says, pointing that even a junior UIDAI officer can access the data of anybody he/she chooses.</p>
<p class="body" style="text-align: justify; ">“Aadhaar inverts the idea of transparency. It makes people transparent but the State opaque,” says legal expert Usha Ramanathan, a legal expert and anti-Aadhaar crusader.</p>
<p class="body" style="text-align: justify; ">The use of Aadhar as verification at every instance can help piece together very detailed information about citizens. These include banking transactions, online purchases, travel itineraries, mobile phone usage, location history and practically anything that can be electronically recorded and verified with an Aadhaar.</p>
<p class="body" style="text-align: justify; ">In February this year, the UIDAI filed a police case against Axis Bank and others for alleged unauthorised authentication and impersonation attempts by illegally storing Aadhaar biometrics.</p>
<p class="body" style="text-align: justify; ">The latest outcry over breached privacy involved a screenshot of cricketer Mahendra Singh Dhoni’s personal details that went viral on Twitter. The UIDAI blacklisted the agency that revealed Dhoni’s Aadhaar details after his wife complained to the IT Minister. A recent Scroll report shows the UIDAI received 1,390 similar complaints but took no action.</p>
<p class="body" style="text-align: justify; ">There are legitimate fears such an information database might eventually be misused, for instance in racial profiling or revealing voting preferences.</p>
<p class="body" style="text-align: justify; ">In January this year, Hyderabad-based ECIL developed a biometric-enabled mobile terminal for instant authentication of a voter “to prevent rigging of votes”. Till August 2015, the Election Commission was working on seeding Aadhaar data with that of voter ID card, in an attempt to weed out fake voters. However, the poll panel stopped this exercise after the SC ruled that Aadhaar be made compulsory only for PDS and LPG distribution.</p>
<p class="body" style="text-align: justify; "><a href="http://www.thehindubusinessline.com/blink/cover/nandan-nilekani-demonising-of-aadhaar-is-irresponsible/article9608232.ece" target="_blank">Nilekani, in an interview to BLink</a>, insisted that the Aadhaar has more privacy regulations than any other service in the world. He also pointed out that all election commission data is already online, and anyone can look up any voter’s name, date of birth, gender and address.</p>
<p class="body" style="text-align: justify; ">Additionally, social media profiles too are shared publicly of our own volition.</p>
<p class="body" style="text-align: justify; ">Concurring with this view, Chakravarty says, “It is surprising that we’re perfectly okay with giving all our life information to a 32-year-old named Mark Zuckerberg. However, this is voluntary. Whether we fully know consequences or not is another matter altogether.”</p>
<p class="body" style="text-align: justify; ">With the Finance Bill requiring all PAN cards to be linked to Aadhaar, there is added concern over privacy. Sunil Abraham, founder of the Centre for Internet and Society, says Aadhaar runs the risk of being used fraudulently. “If I want to get you in trouble, I can make a large purchase of gold against your Aadhaar number, which is linked to your PAN,” he explains.</p>
<p class="body" style="text-align: justify; ">He advocates for a system where different government departments don’t store Aadhaar numbers in their databases but instead use a token issued by UIADI kiosks. This would prevent proliferation of the number.</p>
<p class="body" style="text-align: justify; "><b>Technical glitches</b></p>
<p class="body" style="text-align: justify; ">In February this year, Modi claimed in the Lok Sabha that plugging leakages through Aadhaar had saved the government ₹14,000 crore. And that nearly four crore fake ration cards have been seized till date.</p>
<p class="body" style="text-align: justify; ">One method of establishing a fake ration card is if the owner has not availed himself of his ration. Ever since Aadhaar’s biometric identification has been linked to point-of-sale (POS) machines at ration shops, residents have had to queue up with a prayer on their lips. A lot could go wrong — the biometric might not recognise them or, worse, there could be a network failure, forcing everyone to return home empty-handed. In both instances, while ration shop owners should ideally mark such transactions under ‘Transactions with “N” response from Aadhaar’, they invariably mark them under “Household yet to take ration”, implying that the beneficiary has chosen not to take home her share.</p>
<p class="body" style="text-align: justify; ">The February 2017 data for 22 ration shops across Delhi, accessed on the Department of Food & Supplies website, shows that none have a single beneficiary marked under “N”. At a Delhi Cantonment outlet, of the 1,038 registered beneficiaries only 168 have been marked “Y”, or ‘Yes’, showing they have taken their rations. Another 871 have been marked “Household yet to take ration” and none have been marked ‘N’ to indicate glitches in the Aadhaar authentication.</p>
<p class="body" style="text-align: justify; ">As Amrita Johri of citizens’ action group Satark Nagrik Sangathan explains, “Aadhaar relies on internet and electricity. This might seem like a problem only of rural areas. But we don’t have to go far. In South Delhi’s East Mehraam Nagar, there is a ration shop with no mobile signal and no network. Officials said we have to show that Aadhaar is a success, so the shop’s POS machine was finally hung on a jamun tree to get it to work.”</p>
<p class="body" style="text-align: justify; ">She questions the government’s reluctance to acknowledge the many instances of failure in the project.</p>
<p class="body" style="text-align: justify; ">Frighteningly, three consecutive failed attempts could lead to the card being placed in an abeyance list and possibly invalidated.</p>
<p class="body" style="text-align: justify; "><b>Top performers and laggards</b></p>
<p class="body" style="text-align: justify; ">Delhi is rated one of the better performing States/union territories, while Rajasthan has one of the worst records with the maximum number of biometric and network failures.</p>
<p class="body" style="text-align: justify; ">According to the government’s 2017 monthly estimates, 27 per cent of the residents whose Aadhaar cards have been seeded to the PDS were denied rations owing to biometric or network failure. This figure would be higher if the unseeded cards are also taken into account.</p>
<p class="body" style="text-align: justify; ">Nikhil Dey, founder of Rajasthan’s Mazdoor Kisan Shakti Sangathan (MKSS) says his organisation is fighting with its back against a wall.</p>
<p class="body" style="text-align: justify; ">“Nearly 73 lakh households get their monthly rations in this State, where a little over a crore households are eligible to receive them. We’re not even talking about exclusions here,” says Dey. Besides network failure, there are many instances of the old and sick who are unable to visit the shop to physically verify themselves.</p>
<p class="body" style="text-align: justify; ">“Back-up options such as OTP (one-time password) or facial recognition only work in theory,” says Dey. He alleges that shop owners often fudge the OTP system by punching in their own numbers and stealing the quotas of genuine beneficiaries.</p>
<p class="body" style="text-align: justify; ">He too believes that several names have been struck off as dead to project that the Aadhaar has weeded out a high number of fake social security pension ers.</p>
<p class="body" style="text-align: justify; ">Nilekani applauds Andhra Pradesh for its progress in the Aadhaar project by investing in infrastructure to eliminate technical glitches. J Satyanarayana, the UIDAI’s part-time chairperson, told BLink in an email interview that Aadhaar has led to transparency and efficiency in nearly all government schemes in AP.</p>
<p class="body" style="text-align: justify; ">During March 2017, 42.29 lakh (93.02 per cent) pensioners received their payment through Aadhaar-based biometric authentication, he says, adding that real-time monitoring systems are in place.</p>
<p class="body" style="text-align: justify; ">“The entire PDS (rations) is linked to Aadhaar,” he says. As many as 1.21 crore (87.39 per cent) card holders collected their ration this month, and 95.94 lakh received wages (totalling ₹5,283 crore under MNREGA through Aadhaar-enabled systems, he informs.</p>
<p class="body" style="text-align: justify; ">Neighbouring Telangana too is known for its 99 per cent Aadhaar enrollment, leading to an impressive 80 per cent of its population accessing the PDS.</p>
<p class="body" style="text-align: justify; ">BP Acharya, special chief secretary in Telangana’s planning department says, “Aadhaar’s use can perhaps be most seen in Telangana’s speedy clearances, investment promotion, creating licences and clearances for shops and establishments.”</p>
<p class="body" style="text-align: justify; ">Telangana took the Aadhaar database project one step further through its Citizen 360 programme. In August 2014, months after the State was newly formed, it conducted one of the largest household surveys in a single day, covering one crore households. This data was integrated with the Aadhaar database and now links different benefits on the same platform. Now the Aadhaar identity is linked to other details such as the holder’s driving licence and even crime record.</p>
<p class="body" style="text-align: justify; ">The UIDAI holds out AP and Telangana as shining examples of Aadhaar’s efficiency when backed by the right network and infrastructure. But for the lakhs of biometric factory rejects who are denied their rights, Aadhaar can only mean a mass experiment gone horribly wrong.</p>
<table class="plain" style="text-align: justify; ">
<tbody>
<tr>
<td>
<p class="body"><b><i>Aadhaar Timeline</i></b></p>
<p class="body" style="text-align: justify; "><b>2006</b></p>
<p class="body" style="text-align: justify; ">The ministry of communications and information technology approves the ‘Unique ID for Below Poverty Line (BPL) families’ project under the chairmanship of Arvind Virmani, then principal advisor, Planning Commission</p>
<p class="body" style="text-align: justify; "><b>2008</b></p>
<p class="body" style="text-align: justify; ">Empowered group of ministers formed by former Prime Minister Manmohan Singh decides to collate two schemes — the National Population Register under the Citizenship Act, 1955 and the UID project — to conceive Aadhaar.</p>
<p class="body" style="text-align: justify; "><b>2009</b></p>
<p class="body" style="text-align: justify; ">Planning Commission issues a notification to constitute the Unique Identification Authority of India (UIDAI).</p>
<p class="body" style="text-align: justify; ">Government appoints Infosys co-founder Nandan Nilekani as the first chairman of UIDAI, with the rank and status of a cabinet minister.</p>
<p class="body" style="text-align: justify; "><b>2012</b></p>
<p class="body" style="text-align: justify; ">Former Karnataka high court judge justice K Puttaswamy files a public interest litigation before the Supreme Court (SC) declaring that Aadhaar violates an individual’s right to privacy and that the scheme lacks legislative backing.</p>
<p class="body" style="text-align: justify; "><b>2014</b></p>
<p class="body" style="text-align: justify; ">In an interim order, the SC restrains the UIDAI from transferring biometric information with an Aadhaar number to any other agency without the individual’s consent in writing.</p>
<p class="body" style="text-align: justify; "><b>2015</b></p>
<p class="body" style="text-align: justify; ">Three-judge bench of the apex court rules the unique identity number is not mandatory to avail of benefits from government programmes, restricting the use of Aadhaar to beneficiaries of the public distribution system and subsidies on cooking gas and kerosene, and refers the question on privacy to a larger constitution bench.</p>
<p class="body" style="text-align: justify; ">Centre moves SC seeking a review and modification of the August 11 interim order. A five-judge constitution bench modifies the same and extends the use of Aadhaar to Mahatma Gandhi National Rural Employment Guarantee Scheme, Jan Dhan Yojana, pensions and the Employees’ Provident Fund scheme.</p>
<p class="body" style="text-align: justify; "><b>2016</b></p>
<p class="body" style="text-align: justify; ">Finance minister Arun Jaitley announces in the budget speech that the government will offer statutory backing for Aadhaar. The Lok Sabha passes the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Bill, 2016 as a Money Bill, rejecting Rajya Sabha recommendations.</p>
<p class="body" style="text-align: justify; "><b>2017</b></p>
<p class="body" style="text-align: justify; ">Aadhaar is made mandatory for three dozen schemes with 84 more expected under direct benefit transfers, including midday meal scheme and universal education.</p>
<p class="body" style="text-align: justify; ">SC again rules that Aadhaar cannot be made mandatory for welfare schemes.</p>
</td>
</tr>
</tbody>
</table>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/hindu-businessline-shriya-mohan-the-aadhaar-of-all-things'>http://editors.cis-india.org/internet-governance/news/hindu-businessline-shriya-mohan-the-aadhaar-of-all-things</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-04-03T15:46:23ZNews ItemThe Aadhaar Act is Not a Money Bill
http://editors.cis-india.org/internet-governance/blog/the-aadhaar-act-is-not-a-money-bill
<b>While the authority of the Lok Sabha Speaker is final and binding, Jairam Ramesh’s writ petition may allow the Supreme Court to question an incorrect application of substantive principles. This article by Amber Sinha was published by The Wire on April 24, 2016.</b>
<p> </p>
<p>Originally published by <a href="http://thewire.in/2016/04/24/the-aadhaar-act-is-not-a-money-bill-31297/">The Wire</a> on April 24, 2016.</p>
<hr />
<p>Since its introduction as a money bill in the Lok Sabha in the first week of March <strong>[1]</strong>, the Aadhaar (Targeted delivery of Financial and other subsidies, benefits and services) Bill, 2016 has been embroiled in controversy. The Lok Sabha rejected the five recommendations of the Rajya Sabha and adopted the bill on March 16 and only presidential assent was required for it become to become valid law. However, former Union Minister Jairam Ramesh filed a writ petition contesting the decision to treat the Aadhaar Bill as a money bill. The petition is due to be heard before the Supreme Court on April 25, and should the court decide to entertain the petition, it could have far-reaching implications for the Aadhaar project and the manner in which money bills are passed by the Parliament.</p>
<p>There are three broad categories of bills (all legislations or Acts are known as ‘bills’ till they are passed by the Parliament) that the Parliament can pass. The first kind, Constitution Amendment Bills, are those that seek to amend a provision in the Constitution of India. The second are financial bills which contain provisions on matters of taxation and expenditure. Money bills are a subset of the financial bills which contain provisions only related to taxation, financial obligations of the government, expenditure from or receipt to the Consolidated Fund of India and any matters incidental to the above. The third category is of ordinary bills which includes all other bills. The process for the enactment of all these bills is different. Money bills are peculiar in that they can only be introduced in the Lok Sabha where it can be passed by simple majority. Following this, it is transmitted to the Rajya Sabha. The Rajya Sabha’s powers are restricted to giving recommendations on the Bill and sending it back to the Lok Sabha, which the Lok Sabha is under no obligation to accept. The decision to introduce the Aadhaar Bill as a money bill has been widely seen as an attempt to circumvent the Rajya Sabha where the ruling party is in a minority.</p>
<p>Article 110 (1) of the Constitution defines a money bill as one containing provisions only regarding the matters enumerated or any matters incidental to them. These are a) imposition, regulation and abolition of any tax, b) borrowing or other financial obligations of the Government of India, c) custody, withdrawal from or payment into the Consolidated Fund of India (CFI) or Contingent Fund of India, d) appropriation of money out of CFI, e) expenditure charged on the CFI or f) receipt or custody or audit of money into CFI or public account of India. Article 110 is modelled on Section 1(2) of the (UK) Parliament Act, 1911 which also defines the money bills as those only dealing with certain enumerated matters. The use of the word “only” was brought up by Ghanshyam Singh Gupta during the Constituent Assembly Debates. He pointed out that the use of the word “only” limits the scope of money bills to only those legislations which did not deal with other matters. His amendment to delete the word “only” was rejected clearly establishing the intent of the framers of the Constitution to keep the ambit of money bills extremely narrow.</p>
<p>While the Aadhaar Bill does make references to benefits, subsidies and services funded by the Consolidated Fund of India (CFI), even a cursory reading of the bill reveals its main objectives as creating a right to obtain a unique identification number and providing for a statutory apparatus to regulate the entire process. The mere fact of establishing the Aadhaar number as the identification mechanism for benefits and subsidies funded by the CFI does not give it the character of a money bill. The bill merely speaks of facilitating access to unspecified subsidies and benefits rather than their creation and provision being the primary object of the legislation. Erskine May’s seminal textbook, ‘Parliamentary Practice” is instructive in this respect and makes it clear that a legislation which simply makes a charge on the Consolidated Fund does not becomes a money bill if otherwise its character is not that of one.</p>
<p>PDT Achary, former secretary general of the Lok Sabha, has expressed concern about the use of Money Bills as a means to circumvent the Rajya Sabha. He has written here <strong>[2]</strong> and here <strong>[3]</strong>, on what constitutes a money bill and how the attempts to pass off financial bills like the Aadhaar Bill as money bills could erode the supervisory role Rajya Sabha is supposed to play. This is especially true in the case of a legislation like the Aadhaar Bill which has far reaching implications for individual privacy as it governs the identification system conceptualised to provide a unique and lifelong identity to residents of India dealing with both the analog and digital machinery of the state and by virtue of Section 57 of any private entities. Already over 1 billion people have been enrolled under this identification scheme, and the project has been a subject of much debate and a petition before the Supreme Court. The project has been portrayed as both the last hope for a welfare state and surveillance infrastructure. Regardless of which of the two ends of spectrum one leans towards, it is undeniable that the law governing the Aadhaar project deserved a proper debate in the Parliament. Even those who are strong proponents of the project must accept the decision to pass it off as a money bill undermines the importance of democratic processes and is a travesty on the Constitution and a blatant abrogation of the constitutional duties of the speaker.</p>
<p>The petition by Jairam Ramesh would hinge largely on the powers of the judiciary to question the decision of the Speaker of the Lok Sabha. Article 110 (3) is very clear in pronouncing the authority of the Speaker as final and binding. Additionally, Article 122 prohibits the courts from questioning the validity of any proceedings in Parliament on the ground of any alleged irregularity of procedure. The powers of privilege that Parliamentarians enjoy are integral to the principle of separation of powers. However, the courts may be able to make a fine distinction between inquiring into procedural irregularity which is prohibited by the Constitution; and questioning an incorrect application of substantive principles, which I would argue, is the case with the Speaker decision.</p>
<h3>References</h3>
<p><strong>[1]</strong> See: <a href="http://thewire.in/2016/03/07/arun-jaitley-introduces-money-bill-on-aadhar-in-lok-sabha-24115/">http://thewire.in/2016/03/07/arun-jaitley-introduces-money-bill-on-aadhar-in-lok-sabha-24115/</a>.</p>
<p><strong>[2]</strong> See: <a href="http://indianexpress.com/article/opinion/columns/show-me-the-money-4/">http://indianexpress.com/article/opinion/columns/show-me-the-money-4/</a>.</p>
<p><strong>[3]</strong> See: <a href="http://www.thehindu.com/opinion/lead/circumventing-the-rajya-sabha/article7531467.ece">http://www.thehindu.com/opinion/lead/circumventing-the-rajya-sabha/article7531467.ece</a>.</p>
<p> </p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/the-aadhaar-act-is-not-a-money-bill'>http://editors.cis-india.org/internet-governance/blog/the-aadhaar-act-is-not-a-money-bill</a>
</p>
No publisherAmber SinhaUIDPrivacyInternet GovernanceDigital IndiaAadhaar2016-04-25T10:51:37ZBlog EntryThe 12-digit conundrum
http://editors.cis-india.org/internet-governance/news/richa-mishra-hindu-businessline-march-13-2017-the-12-digit-conundrum
<b>Even as the Centre plans to link as many as 500 schemes to Aadhaar, concerns over data safety are rising. Richa Mishra reports.</b>
<p class="body" style="text-align: justify; ">The article by Richa Mishra was published in the <a href="http://www.thehindubusinessline.com/specials/india-file/aadhaar-the-12digit-conundrum/article9582271.ece">Hindu Businessline</a> on March 13, 2017. Sunil Abraham was quoted.</p>
<hr style="text-align: justify; " />
<p class="body" style="text-align: justify; ">The developments of last few weeks seem to have made real some of the worst fears about Aadhaar. In February, UIDAI (Unique Identification Authority of India) filed a police complaint alleging attempts of unauthorised authentication and impersonation of data related to Aadhaar. Since then, each and every machinery within the government has been trying to convince otherwise, that Aadhaar database is safe and secure, and that the data is protected both by the best available advanced technology as well as by the stringent legal provisions in the Aadhaar Act.</p>
<p class="body" style="text-align: justify; ">Not everyone is convinced. Critics say, biometrics only make the citizen transparent to the State, it does not make the State transparent to citizens. “We warned the government six years ago, but they ignored us,” said Sunil Abraham, Executive Director of Bengaluru-based research organisation, Centre for Internet and Society. According to him, the legislation implementing Aadhaar has almost no data protection guarantees for citizens. He also believes that by opting for biometrics instead of smart cards the government is using surveillance technology instead of e-governance technology.</p>
<p class="body" style="text-align: justify; ">“Biometrics is remote, covert and non-consensual identification technology. It is totally inappropriate for authentication. This has only increased the fragility of Indian cyber security,” he stresses.</p>
<p class="body" style="text-align: justify; ">However, officials associated with UIDAI dismiss these arguments. Collecting biometrics does not pose any threat to the right to privacy because people have been giving their thumb impression for ages, they say. “The biometrics are encrypted at source and kept safe and secure. Unauthorised sharing and leakage of the data does not happen. Fears related to collection of biometrics are not justified,” an official at the helm of affairs said. He requested anonymity.</p>
<p class="body" style="text-align: justify; ">“However, as and when we find that some suspicious activity or misuse is happening, we will strike at the very beginning itself. UIDAI has full authentication regulation under the Aadhaar Act that has to be followed. It specifies in what manner authorities can use Aadhaar,” the official pointed out.</p>
<div style="text-align: justify; "><b>On the ground</b></div>
<p class="body" style="text-align: justify; ">Even as the debate over data security rages, the <i>aam aadmi </i> seem to be little perturbed about the alleged risks involved. For Padmini, who works as a domestic help in East Delhi and is the sole bread earner for her family of four, the Aadhaar card meant access to all government benefits.</p>
<p class="body" style="text-align: justify; ">“<i>Koi farak nahi padta, kaun dekhta hai mera card. Mujhko </i>LPG cylinder <i>ka paisa bank mein mil jata hai,”</i> (It doesn’t matter to me who sees my card. The subsidy for LPG gets transferred to my account) she says. “<i>Baccho ke school admission mein bhi zaroorat pada,</i>” (I needed it to get my children’s admission in school), she added. Sukh, a cab driver also uses it to get the LPG subsidy.</p>
<p class="body" style="text-align: justify; ">While everyone <i>BusinessLine </i>talked to were convinced that Aadhaar was not a citizenship card, the more aware ones saw it as a door that gave access to government schemes.</p>
<p class="body" style="text-align: justify; ">While they had a point, government officials are careful to make it clear that Aadhaar is not mandatory. But the popular perception increasingly points to the opposite view, especially after it emerged that Aadhaar might be made mandatory for children to receive midday meals at schools.</p>
<p class="body" style="text-align: justify; ">Another senior government official said, “Aadhaar is not mandatory under any welfare scheme of the government and no one is being deprived of a service or benefit for the want of Aadhaar…it’s required for availing a service/subsidy/benefit that accrues through the Consolidated Fund of India.” He added that those who do not have the 12-digit number would be provided with the facility to enrol by the Requiring Agency. “And till the time Aadhaar is assigned, alternative IDs would be allowed,” he said.</p>
<p class="body" style="text-align: justify; ">If a school which has to get Aadhaar enrolment done for its students puts the Aadhaar numbers of its students on its site and the same is used by someone, you can’t blame us, the official argues. Then, who is accountable?</p>
<p class="body" style="text-align: justify; ">Pushing for Aadhaar, the UIDAI officials cite the example of Kerala’s Department of General Education (DGE), which has integrated Aadhaar with the student databases and has thereby optimised the teacher-student ratio and identified the schools with excess teachers. In a single academic year, 3,892 excess teacher posts were identified.</p>
<p class="_hoverrDone body" style="text-align: justify; ">“Due to this exercise, no new posts have been sanctioned for the last two years, resulting in notional savings of ₹540 crore per annum,” said a UIDAI official. After student enrolment in the state was linked to Aadhaar since 2012-2013, the head count of pupils have fallen by 5 lakh. Similar trends have been reported in Haryana. Critics have also pointed out the possible security risk in using AadhaarPay, the Andriod-based app. Merchants can download the app in their phone and install a fingerprint scanner linked to the phone. Customers with Aadhaar numbers can use their fingerprints (like the secret PIN in case of debit cards) to do a transaction. While doubts have been raised about the safety of fingerprint data, officials in the know blame the controversy on the “card lobbies.”</p>
<p class="body" style="text-align: justify; ">“Thirty crore Indians have no mobiles. They find it difficult to handle password, pin or card, this is where AadhaarPay will come handy,” the official added. “They don’t need a smart phone or feature phone. They don’t need a debit card.</p>
<p class="_hoverrDone body" style="text-align: justify; ">“Today more than 112 crore people have the Aadhaar card. Approximately, 52.95 crore people have linked their Aadhaar numbers to their bank accounts. We already have a system of Aadhaar authentication in place,” the official added.</p>
<p class="_hoverrDone body" style="text-align: justify; ">Government officials are at pain to point out the larger benefits of Aadhaar, including savings of more than ₹49,000 crore by plugging leakages in government schemes like PDS. Government plans to increase the number of welfare schemes linked to Aadhaar from 36 to over 500. While the intent is good, concerns remain.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/richa-mishra-hindu-businessline-march-13-2017-the-12-digit-conundrum'>http://editors.cis-india.org/internet-governance/news/richa-mishra-hindu-businessline-march-13-2017-the-12-digit-conundrum</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-03-14T13:50:05ZNews ItemTaking Cognisance of the Deeply Flawed System That Is Aadhaar
http://editors.cis-india.org/internet-governance/news/the-wire-may-10-2017-shreyashi-roy-taking-cognisance-of-the-deeply-flawed-system-that-is-aadhaar
<b>Aadhaar and its many connotations have grown to be among the most burning issues on the Indian fore today, that every citizen aware of their rights should be taking note of.</b>
<p style="text-align: justify; ">The article by Shreyashi Roy was <a class="external-link" href="https://thewire.in/133916/taking-cognisance-of-the-deeply-flawed-system-that-is-aadhaar/">published in the Wire</a> on May 10, 2017.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">With the <a href="https://thewire.in/130948/aadhaar-card-details-leaked/" rel="noopener noreferrer" target="_blank" title="leak of 130 million Aadhaar numbers">leak of 130 million Aadhaar numbers</a> recently coming to light, several activists, lawyers and ordinary citizens are up in arms about what is increasingly being viewed as a government surveillance system. Keeping this in mind, on Tuesday, May 9, Software Freedom Law Centre India (SFLC) hosted an event that brought together a panel to clearly articulate the dangers of Aadhaar and to discuss whether the biometric identification system is capable of being reformed.</p>
<p style="text-align: justify; ">SFLC is a donor-supported legal services organisation that calls itself a protector of civil liberties in the digital age.</p>
<p style="text-align: justify; ">Titled ‘Revisiting Aadhaar: Law, Tech and Beyond’, the discussion, with several eminent personalities who have in-depth knowledge of Aadhaar and its working, threw light on the various problems that have cropped up with regard to India’s unique identification system. The discussion was moderated by Saikat Datta, policy director at Centre for Internet and Society, which published the report that studied the third-party leaks of Aadhaar numbers and other personal data.</p>
<p style="text-align: justify; "><b>The leaks</b></p>
<p style="text-align: justify; ">The discussion took off from the point of the leaks, with Srinivas Kodali, a panelist and one of the authors of the report, explaining his methodology for the study that proved that the Aadhaar database lacked the security required when dealing with private information of people. He highlighted the fact that during the course of his research, he had noticed several leaks from government websites and notified the Unique Identification Authority of India (UIDAI) about the same. Yet, at every step, UIDAI continued to deny and reject the possibility of this happening. Kodali says, however, that he had noticed that the websites that were unknowingly leaking data were, in fact, fixing the leaks after being notified without acknowledging that the leak had happened in the first place. Kodali reiterated at the discussion, as in his report, that a simple tweaking of URL query parameters of the National Social Assistance Programme website could unmask and display private information. Unfortunately, UIDAI cannot be brought to task for unknowingly leaking information because there is no such provision.</p>
<p style="text-align: justify; ">He also addressed the question of the conflict of interest that existed in the entire system of building Aadhaar, which was created by developers who later left the UIDAI and built their own private companies, monetising the mine of private information that they were sitting on. Kodali blames UIDAI for this even being allowed, since the developers, though clearly lacking ethics, were in fact, merely volunteers.</p>
<p style="text-align: justify; "><b>The system</b></p>
<p style="text-align: justify; ">One of the glaring issues with the technology behind Aadhaar is that the software is not open source. Anivar Aravind, a panelist, called it “defected by design” and “bound to fail” because not only is the technology completely untested but there are very obvious leaks that are taking place. Moreover, UIDAI does not allow any third-party audits or any other persons to look at the technology. Datta pointed to the fact that this is unheard of in other nations, where software is routinely subjected to penetration testing and hacking experts are called upon to check how secure a database is.</p>
<p style="text-align: justify; ">Anupam Saraph, another panelist and future designer, illuminated the creation of the Aadhaar database, pointing out that this is a system less about identification and more about verification. All of the verification, moreover, has been done by private parties, making the database itself suspect and leaving everyone’s private information loose at the time of enrolment. In addition, Aadhaar was meant for all residents and not just citizens. But now there is a mix of both, creating confusion in many aspects. Saraph also brought up how one rogue agency with access to all this information could pose an actual national security threat, unlike all the requests for information on breaches that the government keeps pointing fingers at. Referring to Nandan Nilekani’s statement about Aadhaar not being like AIDS, Saraph pointed out that it was exactly like it because much like the body, which cannot distinguish between an invasion and itself, the Aadhaar system is not being able to distinguish between aliens and citizens and has begun denying the latter benefits.</p>
<p style="text-align: justify; ">The Supreme Court has declared time and again that Aadhaar cannot be made mandatory, but the government continues to – in complete disregard of the apex court’s judgment – insist on Aadhaar for a multitude of schemes. More and more schemes are being made unavailable without the existence of an Aadhaar number as the government continues to function in a complete lack of cognisance of the fact that the poor are losing out on something as basic as their food because of a number. Prasanna S., an advocate and a panelist, called it a “voluntary but mandatory” system that is becoming an evidence collection mechanism. Moreover, everything is connected through this one number, making many options like financial fraud, selective treatment of citizens and other horrors possible. The collection of all this information is not dangerous, screams the government. Maybe not in the hands of this one. But what of the next? What of rogues?</p>
<p style="text-align: justify; "><b>The legal aspect</b></p>
<p style="text-align: justify; ">One of the panelists was Shyam Divan, a senior advocate of the Supreme Court, who has represented petitioners fighting against Aadhaar. Divan spoke about how along with a group of advocates he has been trying to get the apex court to rule on the issue but has been met with long queues before a ruling can be procured. He addressed the right to privacy aspect of the system and the recent declaration that the citizen does not have the absolute right to the body. He emphasised that the government cannot own the body and that for a free and democratic society, a limited government, instead of an all-knowing and all-seeing government, is essential. Unfortunately for India, there is no express right to privacy in the constitution, but that does not mean that rights can be taken away in exchange for a fingerprint. It is the government’s duty to respect privacy. For him, Aadhaar has become an instrument of oppression and exclusion, a point that Prasanna also agreed with, calling it a “systematic attack on consent”.</p>
<p style="text-align: justify; ">There is complete agreement that there has been a railroading of consent in this entire matter if Aadhaar being passed forcibly through the Lok Sabha as a money bill is anything to go by. If parliament’s consent can be disregarded in that fashion, what is an ordinary citizen to do in the face of this complete imbalance of power in the state’s hand?</p>
<p style="text-align: justify; ">Usha Ramanathan, a legal researcher and a long-time critic of Aadhaar, spoke about how India has turned into a state where there are more restrictions than fundamental rights, rather than the other way around. She related how there was no clarity at the beginning of Aadhaar of how it would be a card or a number and was never a government project in the first place. This is a private sector ambition that the government has jumped on board with, without considering that the private sector does not concern itself with civil liberties. As other panelists also pointed out, the private sector cannot and will not protect public interest. This is the job of the government, especially in an age of digitisation. But Aadhaar compromises the ability of the state to stand up for its citizens.</p>
<p style="text-align: justify; ">With June 30 approaching fast, many of those who have so far abstained from enrolling in the system are considering giving up their rebellion and going like sheep to get themselves registered in the database. In the words of Divan, they will have to “volunteer compulsorily for an Aadhaar”. The government is probably counting on this. Turning to the Supreme Court has been of no help, although a verdict can be hoped for in a couple of weeks. But what can we do if they rule for the government?</p>
<p style="text-align: justify; ">Some of the panelists are on board with the idea of a civil disobedience movement, a kind of a rebellion against Aadhaar. Some suggested thinking of out-of-the-box ways to register one’s protest and dissent against what is clearly becoming the architecture of a surveillance state. Saraph was particularly vehement about the need to completely destroy the Aadhaar database – “shred it”.</p>
<p style="text-align: justify; ">What all the panelists emphasised repeatedly was that there can be no improvements to a system that is so deeply flawed and that has had so many “teething problems” that are making millions suffer. The main takeaway from the discussion was that Aadhaar must see a speedy demise because it cannot be saved and cannot persist in its current state.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/the-wire-may-10-2017-shreyashi-roy-taking-cognisance-of-the-deeply-flawed-system-that-is-aadhaar'>http://editors.cis-india.org/internet-governance/news/the-wire-may-10-2017-shreyashi-roy-taking-cognisance-of-the-deeply-flawed-system-that-is-aadhaar</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-05-19T14:52:58ZNews ItemSurveillance Project
http://editors.cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project
<b>The Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better.</b>
<p style="text-align: justify; ">The article will be <a class="external-link" href="http://www.frontline.in/cover-story/surveillance-project/article8408866.ece">published in Frontline</a>, April 15, 2016 print edition.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; "><strong>Zero</strong>. The probability of some evil actor breaking into the central store of authentication factors (such as keys and passwords) for the Internet. Why? That is because no such store exists. And, what is the probability of someone evil breaking into the Central Identities Data Repository (CIDR) of the Unique Identification Authority of India (UIDAI)? Greater than zero. How do we know this? One, the central store exists and two, the Aadhaar Bill lists breaking into this central store as an offence. Needless to say, it would be redundant to have a law that criminalises a technological impossibility. What is the consequence of someone breaking into the central store? Remember, biometrics is just a fancy word for non-consensual and covert identification technology. High-resolution cameras can capture fingerprints and iris information from a distance.</p>
<p style="text-align: justify; ">In other words, on March 16, when Parliament passed the Bill, it was as if Indian lawmakers wrote an open letter to criminals and foreign states saying, “We are going to collect data to non-consensually identify all Indians and we are going to store it in a central repository. Come and get it!” Once again, how do I know that the CIDR will be compromised at some date in the future? How can I make that policy prediction with no evidence to back it up? To quote Sherlock Holmes, “Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.” If a back door to the CIDR exists for the government, then the very same back door can be used by an enemy within or from outside. In other words, the principle of decentralisation in cybersecurity does not require repeated experimental confirmation across markets and technologies.</p>
<p style="text-align: justify; "><strong>Zero</strong>. The chances that you can fix with the law what you have broken with poor technological choices and architecture. And, to a large extent vice versa. Aadhaar is a surveillance project masquerading as a development intervention because it uses biometrics. There is a big difference between the government identifying you and you identifying yourself to the government. Before UID, it was much more difficult for the government to identify you without your knowledge and conscious cooperation. Tomorrow, using high-resolution cameras and the power of big data, the government will be able to remotely identify those participating in a public protest. There will be no more anonymity in the crowd. I am not saying that law-enforcement agencies and intelligence agencies should not use these powerful technologies to ensure national security, uphold the rule of law and protect individual rights. I am only saying that this type of surveillance technology is inappropriate for everyday interactions between the citizen and the state.</p>
<p style="text-align: justify; ">Some software engineers believe that there are technical fixes for these concerns; they point to the consent layer in the India stack developed through a public-private partnership with the UIDAI. But this is exactly what Evgeny Morozov has dubbed “technological solutionism”—fundamental flaws like this cannot be fixed by legal or technical band-aid. If you were to ask the UIDAI how do you ensure that the data do not get stolen between the enrolment machine and the CIDR, the response would be, we use state-of-the-art cryptography. If cryptography is good enough for the UIDAI why is it not good enough for citizens? That is because if citizens use cryptography [on smart cards] to identify themselves to the state, the state will need their conscious cooperation each time. That provides the feature that is required for better governance without the surveillance bonus. If you really must use biometrics, it could be stored on the smart card after being digitally signed by the enrolment officer. If there is ever a doubt whether the person has stolen the smart card, a special machine can be used to read the biometrics off the card and check that against the person. This way the power of biometrics would be leveraged without any of the accompanying harms.</p>
<p style="text-align: justify; "><b>Zero</b>. This time, for the utility of biometrics as a password or authentication factor. There are two principal reasons for which the Act should have prohibited the use of biometrics for authentication. First, biometric authentication factors are irrevocable unlike passwords, PINs, digital signatures, etc. Once a biometric authentication factor has been compromised, there is no way to change it. The security of a system secured by biometrics is permanently compromised. Second, our biometrics is so easy to steal; we leave our fingerprints everywhere.</p>
<p style="text-align: justify; ">Also, if I upload my biometric data onto the Internet, I can then plausibly deny all transactions against my name in the CIDR. In order to prevent me from doing that, the government will have to invest in CCTV cameras [with large storage] as they do for passport-control borders and as banks do at ATMs. If you anyway have to invest in CCTV cameras, then you might as well stick with digital signatures on smart cards as the previous National Democratic Alliance (NDA) government proposed the SCOSTA (Smart Card Operating System Standard for Transport Application) standard for the MNIC (Multipurpose National ID Card). Leveraging smart card standards like EMV will ensure harnessing greater network effects thanks to the global financial infrastructure of banks. These network effects will drive down the cost of equipment and afford Indians greater global mobility. And most importantly when a digital signature is compromised the user can be issued a new smart card. As Rufo Guerreschi, executive director of Open Media Cluster, puts it, “World leaders and IT experts should realise that citizen freedoms and states’ ability to pursue suspects are not an ‘either or’ but a ‘both or neither’.”</p>
<p style="text-align: justify; "><b>Near zero</b>. We now move biometrics as the identification factor. The rate of potential duplicates or “False Positive Identification Rate” which according to the UIDAI is only 0.057 per cent. Which according to them will result in only “570 resident enrolments will be falsely identified as duplicate for every one million enrolments.” However, according to an article published in <i>Economic & Political Weekly</i> by my colleague at the Centre for Internet and Society, Hans Verghese Mathews, this will result in one out of every 146 people being rejected during enrolment when total enrolment reaches one billion people. In its rebuttal, the UIDAI disputes the conclusion but offers no alternative extrapolation or mathematical assumptions. “Without getting too deep into the mathematics” it offers an account of “a manual adjudication process to rectify the biometric identification errors”.</p>
<p style="text-align: justify; ">This manual adjudication determines whether you exist and has none of the elements of natural justice such as notice to the affected party and opportunity to be heard. Elimination of ghosts is impossible if only machines and unaccountable humans perform this adjudication. This is because there is zero skin in the game. There are free tools available on the Internet such as SFinGe (Synthetic Fingerprint Generator) which allow you to create fake biometrics. The USB cables on the UIDAI-approved enrolment setup can be intercepted using generic hardware that can be bought online. With a little bit of clever programming, countless number of ghosts can be created which will easily clear the manual adjudication process that the UIDAI claims will ensure that “no one is denied an Aadhaar number because of a biometric false positive”.</p>
<p style="text-align: justify; "><b>Near zero</b>. This time for surveillance, which I believe should be used like salt in cooking. Essential in small quantities but counterproductive even if slightly in excess. There is a popular misconception that privacy researchers such as myself are opposed to surveillance. In reality, I am all for surveillance. I am totally convinced that surveillance is good anti-corruption technology.</p>
<p style="text-align: justify; ">But I also want good returns on investment for my surveillance tax rupee. According to Julian Assange, transparency requirements should be directly proportionate to power; in other words, the powerful should be subject to more surveillance. And conversely, I add, privacy protections must be inversely proportionate to power—or again, in other words, the poor should be spared from intrusions that do not serve the public interest. The UIDAI makes the exact opposite design assumption; it assumes that the poor are responsible for corruption and that technology will eliminate small-ticket or retail corruption. But we all know that politicians and bureaucrats are responsible for most of large-ticket corruption.</p>
<p style="text-align: justify; ">Why does not the UIDAI first assign UID numbers to all politicians and bureaucrats? Then using digital signatures why do not we ensure that we have a public non-repudiable audit trail wherein everyone can track the flow of benefits, subsidies and services from New Delhi to the panchayat office or local corporation office? That will eliminate big-ticket or wholesale corruption. In other words, since most of Aadhaar’s surveillance is targeted at the bottom of the pyramid, there will be limited bang for the buck. Surveillance is the need of the hour; we need more CCTVs with microphones turned on in government offices than biometric devices in slums.</p>
<p style="text-align: justify; "><b>Instantiation technology </b></p>
<p style="text-align: justify; "><b>One</b>. And zero. In the contemporary binary and digital age, we have lost faith in the old gods. Science and its instantiation technology have become the new gods. The cult of technology is intolerant to blasphemy. For example, Shekhar Gupta recently tweeted saying that part of the opposition to Aadhaar was because “left-libs detest science/tech”. Technology as ideology is based on some fundamental articles of faith: one, new technology is better than old technology; two, expensive technology is better than cheap technology; three, complex technology is better than simple technology; and four, all technology is empowering or at the very least neutral. Unfortunately, there is no basis in science for any of these articles of faith.</p>
<p style="text-align: justify; ">Let me use a simple story to illustrate this. I was fortunate to serve as a member of a committee that the Department of Biotechnology established to finalise the Human DNA Profiling Bill, 2015, which was to be introduced in Parliament in the last monsoon session. Aside: the language of the Act also has room for the database to expand into a national DNA database circumventing 10 years of debate around the controversial DNA Profiling Bill, 2015. The first version of this Bill that I read in January 2013 said that DNA profiling was a “powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another … without any doubt”. In other words, to quote K.P.C. Gandhi, a scientist from Truth Labs, “I can vouch for the scientific infallibility of using DNA profiling for carrying out justice.”</p>
<p style="text-align: justify; ">Unfortunately, though, the infallible science is conducted by fallible humans. During one of the meetings, a scientist described the process of generating a biometric profile. The first step after the laboratory technician generated the profile was to compare the generated profile with her or his own profile because during the process of loading the machine with the DNA sample, some of the laboratory technician’s DNA could have contaminated the sample. This error would not be a possibility in much older, cheaper and rudimentary biometric technology for example, photography. A photographer developing a photograph in a darkroom does not have to ensure that his or her own image has not accidentally ended up on the negative. But the UIDAI is filled with die-hard techno-utopians; if you tell them that fingerprints will not work for those who are engaged in manual labour, they will say then we will use iris-based biometrics. But again, complex technologies are more fragile and often come with increased risks. They may provide greater performance and features, but sometimes they are easier to circumvent. A gummy finger to fool a biometric scanner can be produced using glue and a candle, but to fake a passport takes a lot of sophisticated technology. Therefore, it is important for us as a nation to give up our unquestioning faith in technology and start to debate the exact technological configurations of surveillance technology for different contexts and purposes.</p>
<p style="text-align: justify; "><b>One</b>. This time representing a monopoly. Prior to the UID project, nobody got paid when citizens identified themselves to the state. While the Act says that the UIDAI will get paid, it does not specify how much. Sooner or later, this cost of identification will be passed on to the citizens and residents. There will be a consumer-service provider relationship established between the citizen and the state when it comes to identification. The UIDAI will become the monopoly provider of identification and authentication services in India which is trusted by the government. That sounds like a centrally planned communist state to me. Should not the right-wing oppose the Act because it prevents the free market from working? Should not the free market pick the best technology and business model for identification and authentication? Will not that drive the cost of identification and authentication down and ensure higher quality of service for citizens and residents?</p>
<p style="text-align: justify; "><b>Competing providers</b></p>
<p style="text-align: justify; ">Competing providers can also publish transparency reports regarding their compliance with data requests from law-enforcement and intelligence agencies, and if this is important to consumers they will be punished by the market. The government can use mechanisms such as permanent and temporary bans and price regulation as disincentives for the creation of ghosts. There will be a clear financial incentive to keep the database clean. Just like the government established a regulatory framework for digital certificates in the Information Technology Act allowing for e-commerce and e-governance. Ideally, the Aadhaar Bill should have done something similar and established an ecosystem for multiple actors to provide services in this two-sided market. For it is impossible for a “small government” to have the expertise and experience to run one of the world’s largest database of biometric and transaction records securely for perpetuity.</p>
<p style="text-align: justify; ">To conclude, I support the use of biometrics. I support government use of identification and authentication technology. I support the use of ID numbers in government databases. I support targeted surveillance to reduce corruption and protect national security. But I believe all these must be put in place with care and thought so that we do not end up sacrificing our constitutional rights or compromising the security of our nation state. Unfortunately, the Aadhaar project’s technological design and architecture is an unmitigated disaster and no amount of legal fixes in the Act will make it any better. Our children will pay a heavy price for our folly in the years to come. To quote the security guru Bruce Schneier, “Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project'>http://editors.cis-india.org/internet-governance/blog/frontline-april-15-2016-sunil-abraham-surveillance-project</a>
</p>
No publishersunilAadhaarInternet GovernancePrivacy2016-04-05T15:21:27ZBlog EntrySurveillance Enabling Identity Systems in Africa: Tracing the Fingerprints of Aadhaar
http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar
<b>Biometric identity systems are being introduced around the world with a focus on promoting human development and social and economic inclusion, rather than previous goals of security. As a result, these systems being encouraged in developing countries, particularly in Africa and Asia, sometimes with disastrous consequences.</b>
<p style="text-align: justify; ">In this report, we identify the different external actors that influencing this “developmental” agenda. These range from philanthropic organisations, private companies, and technology vendors, to state and international institutions. Most notable among these is the World Bank, whose influence we investigated in the form of case studies of Nigeria and Kenya. We also explored the role played by the “success” of the Aadhaar programme in India on these new ID systems. A key characteristic of the growing “digital identity for development” trend is the consolidation of different databases that record beneficiary data for government programmes into one unified platform, accessed by a unique biometric ID. This “Aadhaar model” has emerged as a default model to be adopted in developing countries, with little concern for the risks it introduces. Read and download the full report <a href="http://editors.cis-india.org/internet-governance/surveillance-enabling-identity-systems-in-africa" class="internal-link">here</a>.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar'>http://editors.cis-india.org/internet-governance/blog/surveillance-enabling-identity-systems-in-africa-tracing-the-fingerprints-of-aadhaar</a>
</p>
No publisherShruti Trikanad and Vrinda BhandariSurveillanceAadhaarInternet GovernancePrivacy2022-08-09T08:17:32ZBlog EntrySupreme Court sets up constitution bench to hear Aadhaar privacy issues
http://editors.cis-india.org/internet-governance/news/livemint-priyanka-mittal-july-12-2017-supreme-court-sets-up-constitution-bench-to-hear-aadhaar-privacy-issues
<b>The Supreme Court ‘s five-judge constitution bench will also decide if the Aadhaar privacy issue should be heard by a larger bench.</b>
<p>The article by Priyanka Mittal was <a class="external-link" href="http://www.livemint.com/Politics/qgZWZgkGo2S7QUTRo53jMN/Aadhaar-case-Constitution-Bench-hearing-on-18-19-July.html">published in Livemint</a> on July 12, 2017. Sunil Abraham was quoted.</p>
<hr style="text-align: justify; " />
<p style="text-align: justify; ">A five-judge constitution bench will hear arguments on 18-19 July as to whether Indian citizens have the right to privacy, and whether the Aadhaar unique identity project breaches the right.</p>
<p style="text-align: justify; ">Chief Justice of India (CJI) J.S. Khehar on Wednesday set the dates for the hearing by the constitution bench, which will decide whether the issue should be heard by a larger bench.</p>
<p style="text-align: justify; ">Should the five-judge bench decide to rule on the case itself and not refer it to a larger bench, it will decide the future of Aadhaar, which has become the backbone of government welfare programmes, the tax administration network and online financial transactions.</p>
<p>This will be based on whether the right to privacy is a fundamental right of Indian citizens.</p>
<p style="text-align: justify; ">Privacy rights activists argue that personal data gathered under the Aadhaar programme, aimed at giving a unique 12-digit identity number to every Indian, is vulnerable to abuse. Then attorney general Mukul Rohatgi told the Supreme Court in 2015 that Indian citizens don’t have a fundamental right to privacy under the Indian Constitution—an argument he repeated subsequently.</p>
<p style="text-align: justify; ">“In the two-day hearing, the court is not going to decide the full issue of privacy,” said Alok Prasanna Kumar, a lawyer and visiting fellow at think tank Vidhi Centre for Legal Policy, explaining how the Constitution bench is likely to proceed. “They are going to take a call on whether, in light of precedents, there is a need to refer the issue to a larger bench. There are past judgements and the court will have to look at the scope of privacy under each to decide the number of judges.”</p>
<p style="text-align: justify; ">He added: “If the five-judge bench agrees with the precedents, then it would continue to address the angle of privacy; if not, then it would be referred back to the CJI to constitute a larger bench of nine judges.”</p>
<p style="text-align: justify; ">All cases related to Aadhaar, including the right to privacy, will be heard by the constitution bench; the court decided to set up the constitution bench to hear the privacy case in August 2015.</p>
<p style="text-align: justify; ">The CJI’s decision came on a plea by advocate Shyam Divan, who has appeared in several cases opposing Aadhaar, and attorney general K.K. Venugopal seeking the speedy creation of a Constitution bench. It came a week after justice J. Chelameswar said that all matters related to Aadhaar should be addressed by a constitution bench.</p>
<p style="text-align: justify; ">“I see it as a step in the right direction. Personally, I hope that the privacy issue is heard by a five-judge bench as against a larger bench as that can bring more disagreement,” said Sunil Abraham, executive director of Bengaluru-based research think tank Centre for Internet and Society.</p>
<p style="text-align: justify; ">Last month, the Supreme Court court upheld the government’s decision to link Aadhaar with the permanent account number (PAN) for filing of income-tax returns but ruled that non-compliance with the law will carry no retrospective consequences.</p>
<p style="text-align: justify; ">Under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, the unique identity number is mandatory only to receive social welfare benefits.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-priyanka-mittal-july-12-2017-supreme-court-sets-up-constitution-bench-to-hear-aadhaar-privacy-issues'>http://editors.cis-india.org/internet-governance/news/livemint-priyanka-mittal-july-12-2017-supreme-court-sets-up-constitution-bench-to-hear-aadhaar-privacy-issues</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2017-07-14T10:55:04ZNews ItemSupreme Court provides partial relief for Aadhaar
http://editors.cis-india.org/internet-governance/news/livemint-october-15-2015-apurva-vishwanath-saurabh-kumar-supreme-court-provides-partial-relief-for-aadhaar
<b>In a small but significant win for the government, the Supreme Court on Thursday allowed the use of the Aadhaar number for the Mahatma Gandhi National Rural Employment Guarantee Scheme (MGNREGS), the Pradhan Mantri Jan Dhan Yojana, pensions by central and state governments, and the Employees’ Provident Fund Scheme, in addition to its current use in the public distribution system (PDS) and the distribution of cooking gas and kerosene.</b>
<p>The article by Apurva Vishwanath and Saurabh Kumar was published in <a class="external-link" href="http://www.livemint.com/Politics/XoXAlzO9SeGqB15LvBj0yN/SC-extends-voluntary-use-of-Aadhaar-for-govt-schemes.html">Livemint </a>on October 15, 2015. Sunil Abraham was quoted.</p>
<hr />
<p style="text-align: justify; ">In an interim order on 11 August, the apex court had restricted the use of Aadhaar, the unique identity number, to the PDS and the distribution of cooking gas and kerosene.</p>
<p style="text-align: justify; ">Subsequently, several state governments, government departments and regulatory agencies put up a joint defence seeking a modification of the interim order. They included the Reserve Bank of India (RBI), the Securities and Exchange Board of India and the Telecom Regulatory Authority of India, the governments of Jharkhand, Maharashtra, Uttarakhand, Himachal Pradesh, Gujarat and Rajasthan, and industry body Indian Banks’ Association, along with the Unique Identification Authority of India (UIDAI), the issuer of Aadhaar.</p>
<p style="text-align: justify; ">A five-judge constitutional bench comprising Chief Justice H.L Dattu and justices M.Y Eqbal, C. Nagappan, Arun Mishra and Amitava Roy said in an order on Thursday: “We are of the opinion that in para 3 of the interim order, we can include schemes like MGNREGS, pensions by state and central government, Jan Dhan Yojana and Employees’ Provident Fund Scheme along with PDS and LPG (liquefied petroleum gas).”</p>
<p style="text-align: justify; ">Para 3 of the 11 August interim order had allowed the voluntary use of Aadhaar only for direct benefit transfer in foodgrain, kerosene and cooking gas schemes.</p>
<p style="text-align: justify; ">The court’s interim order threw an element of uncertainty around flagship government programmes such as biometric attendance for government employees; the Jan Dhan Yojana, the Prime Minister’s ambitious financial inclusion initiative; digital certificates, and pension payments.</p>
<p style="text-align: justify; ">It also threatened to derail India’s progress towards a cashless economy where payments banks are expected to play an important role.</p>
<p style="text-align: justify; ">All of these depend on linking accounts to individuals electronically, and are dependent on the Aadhaar number.</p>
<p style="text-align: justify; ">“The government was able to convince the court on the utility of Aadhaar which is critical to provide services to the most vulnerable section of the society,” said a government official who spoke on condition of anonymity.</p>
<p style="text-align: justify; ">The apex court, however, did not allow the use of Aadhaar for the e-know-your-customer (e-KYC) specifically, which would have helped banks, including payments banks, to enrol new customers and telecom operators for issuing SIM cards. However, it is noteworthy that while obtaining bank accounts under the Jan Dhan scheme, banks use e-KYC. The clarification that RBI sought from the court, on whether the Aadhaar number can be used as proof of identification to open a bank account, still remains uncertain.</p>
<p style="text-align: justify; ">This will affect banks, mutual funds and companies that have won in-principle payments bank licences such as Airtel M Commerce Services Ltd (from the stable of Bharti Airtel Ltd, which had a customer base of 231.6 million as of July) and Vodafone m-pesa Ltd (a part of Vodafone India Ltd, which had a customer base of 185.4 million as of July).</p>
<p style="text-align: justify; ">The licensees also include the department of posts, which has 155,015 post offices across the country, of which 139,144 are in rural areas. The sheer reach of these entities is unrivalled. These entities hope to ride on the technology platform to reach customers, and e-KYC is critical to the process.</p>
<p style="text-align: justify; ">“The reason why the court has allowed use of Aadhaar for Jan Dhan Yojana and not other banking services is perhaps because the government made a humanitarian argument that the poorest will be able to avail banking services. It is, however, a technologically flawed argument, deeply so,” said Sunil Abraham, executive director of Bengaluru-based research organization Centre for Internet and Society.</p>
<p style="text-align: justify; ">The bench ordered the Union government to follow all earlier interim orders issued by the Supreme Court starting September 2013. Some of these orders include restrain on sharing of biometrics and keeping Aadhaar voluntary.</p>
<p style="text-align: justify; ">As of now, 920 million Indian citizens have been allotted Aadhaar numbers. The interim stay was affecting beneficiaries of the MGNREGS (91.7 million), pensioners (27.1 million) and recipients of scholarships (25.7 million), among others, according to data from the Unique Identification Authority of India (UIDAI). Till now, 187 million bank accounts have been opened under the Pradhan Mantri Jan Dhan Yojana.</p>
<p style="text-align: justify; ">The apex court made the interim ruling in an ongoing hearing where several pleas related to Aadhaar were clubbed together. Some relate to Aadhaar numbers being made mandatory to enable people to avail of certain government benefits and services. Others deal with the number being a violation of privacy, especially in the absence of any backing regulation or oversight, and yet others deal with possible misuse of the information.</p>
<p style="text-align: justify; ">However, the constitution bench had clarified on Wednesday that only pleas seeking clarification and modification of the interim order will be decided, and the issue concerning the right to privacy will be heard subsequently by another constitution bench.</p>
<p style="text-align: justify; ">“I am very disappointed with the court’s order. The government claims that Aadhaar is voluntary, but actually it will not be till it is delinked from all government schemes. This way, people who do have Aadhaar are excluded and will have to run from pillar to post to receive benefits if they do not have the number,” said Kamayani Bali Mahabal, a Mumbai-based lawyer, human rights activist and a petitioner in the UIDAI case. She added that the order may increase the incidents of fake Aadhaar numbers as ineligible people choose to gain from all schemes, depriving the poor and aged of real benefits.</p>
<p style="text-align: justify; ">The attorney general, Mukul Rohatgi, on Wednesday assured the court that the government has issued advertisements in over 20 languages that Aadhaar is a voluntary scheme.</p>
<p style="text-align: justify; ">On 14 Wednesday, <i>PTI </i>reported that a Right to Information application has showed that the UIDAI has identified more than 25,000 duplicate Aadhaar numbers till August.</p>
<p style="text-align: justify; ">Mathew Thomas, one of the petitioners challenging the use and validity of the Aadhaar scheme, also expressed disappointment at the court’s ruling today. “Aadhaar is a case of great importance to the billion citizens of India. It is unfortunate that the constitution bench spent only a few hours in hearing the issues,” he said.</p>
<p style="text-align: justify; ">The Supreme Court will appoint a larger bench of at least nine judges to hear the privacy issue. The court in 1954, in the case of M.P. Sharma vs Satish Chandra, ruled that the right to privacy was not a fundamental right recognized by the Constitution. This case was decided by an eight-judge bench of the apex court, and only a bench of equal or larger strength will be able to override that decision.</p>
<p style="text-align: justify; ">The Chief Justice in the order on Thursday said that the larger bench, with nine or 11 judges, will be constituted at the earliest to hear the matter on Aadhaar potentially violating privacy and other intervening applications.</p>
<p style="text-align: justify; ">The petitioners have argued that UIDAI was approved only by an empowered group of ministers during the United Progressive Alliance tenure and has no statutory authority to collect biometrics of residents. Senior counsel for the petitioners, Shyam Divan, said: “The only law in India which allows the government to collect fingerprints is the Prisoner’s Act of 1920, which is a colonial enactment.”</p>
<p style="text-align: justify; ">The UIDAI does not have any legislative backing and was constituted by notification in 2009 by the erstwhile Planning Commission. Divan, however, said that the Planning Commission notification has no effect since the body itself has ceased to exist, and added that the centre is not introducing a legislation empowering the Aadhaar scheme as it realizes the vulnerability of the entire exercise.</p>
<p style="text-align: justify; ">The National Identification Authority of India Bill was introduced in the Rajya Sabha in 2010.</p>
<p style="text-align: justify; ">In 2012, the centre was mulling a privacy law that could be enacted to support the UIDAI scheme and, in connection, the Planning Commission then formed an expert committee on privacy under A.P Shah, a former chairperson of the Law Commission.</p>
<p>
For more details visit <a href='http://editors.cis-india.org/internet-governance/news/livemint-october-15-2015-apurva-vishwanath-saurabh-kumar-supreme-court-provides-partial-relief-for-aadhaar'>http://editors.cis-india.org/internet-governance/news/livemint-october-15-2015-apurva-vishwanath-saurabh-kumar-supreme-court-provides-partial-relief-for-aadhaar</a>
</p>
No publisherpraskrishnaAadhaarInternet GovernancePrivacy2015-10-18T05:01:49ZNews Item